We are using Microsoft's jview for our front end GUI and Sun's JRE 1.3 for our backend (server). We have an auditing factory class that is used both in our front end and backend. It is compiled under Sun's 1.3 compiler. This auditing class uses the new xercesImpl parser to create a dom and read configuration information. Now, the GUI ran fine on my machine and my co-workers. However, when we deployed for integration testing, it failed. The test integration machine has military secure software (COE) also on it. What is happening, is that the integration test machine running jview is loading the class java.security.AccessController from the class path set by the military software. So, when the following classes javax.xml.parsers.SecuritySupport and org.apache.xerces.util.SecuritySupport execute the following code, they try to run the SecuritySupport12 class because it finds the class java.security.AccessController.
static {
SecuritySupport ss = null;
try {
Class c = Class.forName("java.security.AccessController");
// if that worked, we're on 1.2.
/*
// don't reference the class explicitly so it doesn't
// get dragged in accidentally.
c = Class.forName("javax.mail.SecuritySupport12");
Constructor cons = c.getConstructor(new Class[] { });
ss = (SecuritySupport)cons.newInstance(new Object[] { });
*/
/*
* Unfortunately, we can't load the class using reflection
* because the class is package private. And the class has
* to be package private so the APIs aren't exposed to other
* code that could use them to circumvent security. Thus,
* we accept the risk that the direct reference might fail
* on some JDK 1.1 JVMs, even though we would never execute
* this code in such a case. Sigh...
*/
ss = new SecuritySupport12();
} catch (Exception ex) {
// ignore it
} finally {
if (ss == null)
ss = new SecuritySupport();
securitySupport = ss;
}
}
I would like to change this code to get the java.version system property and check for 1.1 (or 1.0) in java.version string. If found, then the SecuritySupport class would be the instantiated, otherwise the SecuritySupport12 class would be instantiated. Is there a reason why this wouldn't work? Why is the above way used? Also, how do I get written permission to change this for our implementation?
Thank you,
Annette Doyle
