Limit the classes available as extensions
-----------------------------------------
Key: XALANJ-2489
URL: https://issues.apache.org/jira/browse/XALANJ-2489
Project: XalanJ2
Issue Type: Improvement
Security Level: No security risk; visible to anyone (Ordinary problems in
Xalan projects. Anybody can view the issue.)
Components: Xalan-extensions
Environment: xalan-java
Reporter: Johan Zxcer
Priority: Minor
It would be very useful to be able to limit the set of java classes that are
available to Xalan for extension functions. This is important when using Xalan
within a larger application with non-secure style-sheet definitions, as a
malevolent user could create a style-sheet to access any class within the
larger application. Currently the only ways to use Xalan securely within a
larger application is to entirely turn extension functions off, or to sequester
Xalan to a separate process/thread with a tightened security policy.
It appears the best way to do this would be to use the Java Security Framework,
as it is already used to determine what classes can be accessed; it is simply
not exposed in the API. Allowing either the SecurityManager or ClassLoader to
be specified for a Transformer (or factory), to be used to in place of the
global ones, would probably be the best solution.
Mailing-list thread:
http://marc.info/?l=xalan-j-users&m=123595553514572&w=2
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: xalan-dev-unsubscr...@xml.apache.org
For additional commands, e-mail: xalan-dev-h...@xml.apache.org
