Xerces Parser Security and Path Problems
I encountered a couple of problems trying to use
xerces and security in my application.
BUG 1:
I have xerces.jar in myapp/WEB-INF/lib. This works
fine until I turn on security (-security switch) which
uses conf/catalina.policy.
I added a permission for my application to do anything:
grant codeBase file:${catalina.home}/webapps/myapp/- {
permission java.security.AllPermission;
};
This works fine except when I invoke xerces:
XMLReader xr = XMLReaderFactory.createXMLReader();
...
xr.parse(my_xml_file);
I get an access violation on the file (which is in myapp).
If I move xerces.jar to common/lib this error goes away.
There seems to be a problem related to security when loading
jars from WEB-INF/lib. This was reported earlier by Sergey V. Udaltsov
in the post titled policy for classes in WEB-INF/lib/my.jar.
BUG 2:
FURTHER, moving xerces.jar to common/lib seems to introduce
its own problem related to the handling of DTDs. A couple of my
xml files have DTD specs like:
!DOCTYPE links SYSTEM ../Links.dtd
I found that the parser computes the path relative to the startup
directory of catalina, rather than relative to the location of the
xml file. It does not do this when it is in WEB-INF/lib. This is
clearly unusable since the web app author has no idea where
the startup dir will be and no way to get the DTDs there.
Am I missing something here on how this is supposed to
operate or are these legitimate bugs?
Frank Lawlor
Athens Group, Inc.
(512) 345-0600 x151
Athens Group, an employee-owned consulting firm integrating technology
strategy and software solutions.
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Xerces Parser Security and Path Problems
On Wed, 14 Nov 2001, Frank Lawlor wrote:
Date: Wed, 14 Nov 2001 12:51:37 -0600
From: Frank Lawlor [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED],
[EMAIL PROTECTED]
To: Tomcat (E-mail) [EMAIL PROTECTED]
Subject: Xerces Parser Security and Path Problems
I encountered a couple of problems trying to use
xerces and security in my application.
BUG 1:
I have xerces.jar in myapp/WEB-INF/lib. This works
fine until I turn on security (-security switch) which
uses conf/catalina.policy.
I added a permission for my application to do anything:
grant codeBase file:${catalina.home}/webapps/myapp/- {
permission java.security.AllPermission;
};
This works fine except when I invoke xerces:
XMLReader xr = XMLReaderFactory.createXMLReader();
...
xr.parse(my_xml_file);
I get an access violation on the file (which is in myapp).
If I move xerces.jar to common/lib this error goes away.
There seems to be a problem related to security when loading
jars from WEB-INF/lib. This was reported earlier by Sergey V. Udaltsov
in the post titled policy for classes in WEB-INF/lib/my.jar.
It's not clear to me that this is a bug.
The exception goes away because the default catalina.policy grants all
permissions to code loaded from the common/lib directory. If you want an
individual webapp to access files, you need to grant specific file
permissions to it -- see the examples at the bottom of
conf/catalina.policy for hints on how to do this.
Note that this would be required even if you wanted to use file I/O
directly in your servlet (as opposed to indirectly via the parser) -- the
default policy file completely disables file access for classes loaded
from /WEB-INF/classes or /WEB-INF/lib of your webapp.
BUG 2:
FURTHER, moving xerces.jar to common/lib seems to introduce
its own problem related to the handling of DTDs. A couple of my
xml files have DTD specs like:
!DOCTYPE links SYSTEM ../Links.dtd
I found that the parser computes the path relative to the startup
directory of catalina, rather than relative to the location of the
xml file. It does not do this when it is in WEB-INF/lib. This is
clearly unusable since the web app author has no idea where
the startup dir will be and no way to get the DTDs there.
How relative URLs are interpreted is up to the parser, not to Tomcat. My
understanding is that they were supposed to be relative to the URL of the
document itself -- but you'd have to ask the Xerces folks what they are
asuming.
One thing I generally do is to implement an EntityResolver so that I can
redirect these kinds of things in an application-specific way.
Am I missing something here on how this is supposed to
operate or are these legitimate bugs?
Frank Lawlor
Athens Group, Inc.
(512) 345-0600 x151
Athens Group, an employee-owned consulting firm integrating technology
strategy and software solutions.
Craig
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]
FW: Xerces Parser Security and Path Problems
There seems to be a problem related to security when loading jars from WEB-INF/lib. This was reported earlier by Sergey V. Udaltsov in the post titled policy for classes in WEB-INF/lib/my.jar. It's not clear to me that this is a bug. The exception goes away because the default catalina.policy grants all permissions to code loaded from the common/lib directory. If you want an individual webapp to access files, you need to grant specific file permissions to it -- see the examples at the bottom of conf/catalina.policy for hints on how to do this. Note that this would be required even if you wanted to use file I/O directly in your servlet (as opposed to indirectly via the parser) -- the default policy file completely disables file access for classes loaded from /WEB-INF/classes or /WEB-INF/lib of your webapp. I don't think this is correct. As I indicated, I granted my application All Permissions. It does do a lot of file access (including to the file to be parsed). Without the permissions it gets access errors, so it seems to be working. If I open the target file for the parser, it can access it: xr.parse(new InputSource(new java.io.FileReader(my_xml_file))); I did try specific file permissions granted to the app and to the xerces.jar and that didn't help. Is there some special way that the file permission needs to be granted (BTW there are no examples of FILE permissions in my version of catalina.policy). This seems like a fairly basic problem that should be easy to verify. Here is the actual error info: java.security.AccessControlException: access denied (java.io.FilePermission D:\jakarta-tomcat-4.0-rc2\webapps\AGCW\agcw.xml read) at org.apache.xerces.framework.XMLParser.parse(XMLParser.java:1094) at org.apache.xerces.framework.XMLParser.parse(XMLParser.java:1122) at com.athensgroup.shared.sax.Agcw_Walker.processConfiguration(Agcw_Walker.java :52) Thanks, -- Frank -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
