On Wed, 14 Nov 2001, Frank Lawlor wrote: > Date: Wed, 14 Nov 2001 12:51:37 -0600 > From: Frank Lawlor <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>, > [EMAIL PROTECTED] > To: "Tomcat (E-mail)" <[EMAIL PROTECTED]> > Subject: Xerces Parser Security and Path Problems > > I encountered a couple of problems trying to use > xerces and security in my application. > > BUG 1: > > I have xerces.jar in myapp/WEB-INF/lib. This works > fine until I turn on security (-security switch) which > uses conf/catalina.policy. > > I added a permission for my application to do anything: > grant codeBase "file:${catalina.home}/webapps/myapp/-" { > permission java.security.AllPermission; > }; > > This works fine except when I invoke xerces: > XMLReader xr = XMLReaderFactory.createXMLReader(); > ... > xr.parse(my_xml_file); > > I get an access violation on the file (which is in myapp). > > If I move xerces.jar to common/lib this error goes away. > > There seems to be a problem related to security when loading > jars from WEB-INF/lib. This was reported earlier by Sergey V. Udaltsov > in the post titled "policy for classes in WEB-INF/lib/my.jar". >
It's not clear to me that this is a bug. The exception goes away because the default catalina.policy grants all permissions to code loaded from the common/lib directory. If you want an individual webapp to access files, you need to grant specific file permissions to it -- see the examples at the bottom of "conf/catalina.policy" for hints on how to do this. Note that this would be required even if you wanted to use file I/O directly in your servlet (as opposed to indirectly via the parser) -- the default policy file completely disables file access for classes loaded from /WEB-INF/classes or /WEB-INF/lib of your webapp. > BUG 2: > > FURTHER, moving xerces.jar to common/lib seems to introduce > its own problem related to the handling of DTDs. A couple of my > xml files have DTD specs like: > <!DOCTYPE links SYSTEM "../Links.dtd"> > > I found that the parser computes the path relative to the startup > directory of catalina, rather than relative to the location of the > xml file. It does not do this when it is in WEB-INF/lib. This is > clearly unusable since the web app author has no idea where > the startup dir will be and no way to get the DTDs there. > How relative URLs are interpreted is up to the parser, not to Tomcat. My understanding is that they were supposed to be relative to the URL of the document itself -- but you'd have to ask the Xerces folks what they are asuming. One thing I generally do is to implement an EntityResolver so that I can redirect these kinds of things in an application-specific way. > > Am I missing something here on how this is supposed to > operate or are these legitimate bugs? > > Frank Lawlor > Athens Group, Inc. > (512) 345-0600 x151 > Athens Group, an employee-owned consulting firm integrating technology > strategy and software solutions. > Craig -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>