[jira] Commented: (XALANJ-2489) Limit the classes available as extensions

Thu, 26 Mar 2009 09:26:04 -0700 

    [ 
https://issues.apache.org/jira/browse/XALANJ-2489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12689503#action_12689503
 ] 

Bradley Wagner commented on XALANJ-2489:
----------------------------------------

I'm wondering if it's possible to simply turn off specific extension types such 
as Java Extensions. I would, for example, like to keep JavaScript Extensions 
but totally turn off Java extensions.

Also, would love to see how you patched Xalan to use a custom SecurityManager 
if this is something you got working.

> Limit the classes available as extensions
> -----------------------------------------
>
>                 Key: XALANJ-2489
>                 URL: https://issues.apache.org/jira/browse/XALANJ-2489
>             Project: XalanJ2
>          Issue Type: Improvement
>      Security Level: No security risk; visible to anyone(Ordinary problems in 
> Xalan projects.  Anybody can view the issue.) 
>          Components: Xalan-extensions
>         Environment: xalan-java
>            Reporter: Johan Zxcer
>            Priority: Minor
>
> It would be very useful to be able to limit the set of java classes that are 
> available to Xalan for extension functions.  This is important when using 
> Xalan within a larger application with non-secure style-sheet definitions, as 
> a malevolent user could create a style-sheet to access any class within the 
> larger application.  Currently the only ways to use Xalan securely within a 
> larger application is to entirely turn extension functions off, or to 
> sequester Xalan to a separate process/thread with a tightened security policy.
> It appears the best way to do this would be to use the Java Security 
> Framework, as it is already used to determine what classes can be accessed; 
> it is simply not exposed in the API.  Allowing either the SecurityManager or 
> ClassLoader to be specified for a Transformer (or factory), to be used to in 
> place of the global ones, would probably be the best solution.
> Mailing-list thread:
> http://marc.info/?l=xalan-j-users&m=123595553514572&w=2

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: xalan-dev-unsubscr...@xml.apache.org
For additional commands, e-mail: xalan-dev-h...@xml.apache.org

Reply via email to