I'm working on a final fix for DERBY-6807 for SqlXmlUtils, but I'd prefer to make that change conditional, based on whether there is a SecurityManager policy in place for the engine.
The reason for that is that if there is a SecurityManager in place, SqlXmlUtils is already fully secure, because it delegates the access decisions properly to the SecurityManager policy. But if there is NOT a SecurityManager policy in effect, then it would be more secure for SqlXmlUtils to disable certain XML features. Is there example code that somebody can point me at which SqlXmlUtils could use to detect whether or not a SecurityManager policy is in effect? thanks, bryan
