tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Frank Lawlor" <frank.law...@athensgroup.com>
Subject Xerces Parser Security and Path Problems
Date Wed, 14 Nov 2001 18:51:37 GMT
I encountered  a couple of problems trying to use 
xerces and security in my application.

BUG 1:

I have xerces.jar in myapp/WEB-INF/lib.  This works
fine until I turn on security (-security switch) which
uses conf/catalina.policy.

I added a permission for my application to do anything:
   grant codeBase "file:${catalina.home}/webapps/myapp/-" {
        permission java.security.AllPermission;
   };

This works fine except when I invoke xerces:
        XMLReader xr = XMLReaderFactory.createXMLReader();
	...
        xr.parse(my_xml_file);

I get an access violation on the file (which is in myapp).

If I move xerces.jar to common/lib this error goes away.

There seems to be a problem related to security when loading
jars from WEB-INF/lib.  This was reported earlier by Sergey V. Udaltsov
in the post titled "policy for classes in WEB-INF/lib/my.jar".

BUG 2:

FURTHER, moving xerces.jar to common/lib seems to introduce 
its own problem related to the handling of DTDs.  A couple of my
xml files have DTD specs like:
   <!DOCTYPE links SYSTEM "../Links.dtd">

I found that the parser computes the path relative to the startup
directory of catalina, rather than relative to the location of the
xml file.  It does not do this when it is in WEB-INF/lib.  This is 
clearly unusable since the web app author has no idea where
the startup dir will be and no way to get the DTDs there.


Am I missing something here on how this is supposed to
operate or are these legitimate bugs?

Frank Lawlor
Athens Group, Inc.
(512) 345-0600 x151
Athens Group, an employee-owned consulting firm integrating technology
strategy and software solutions.




--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message