Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7109589

Signed Applet throws AccessControlException when doing XSLT w/ external document

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P4
    • Resolution: Not an Issue
    • Affects Version/s: 7
    • Fix Version/s: None
    • Component/s: xml
    • Labels:

      Description

      FULL PRODUCT VERSION :
      java version "1.7.0_01"
      Java(TM) SE Runtime Environment (build 1.7.0_01-b08)
      Java HotSpot(TM) Server VM (build 21.1-b02, mixed mode)

      java version "1.6.0_26"
      Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
      Java HotSpot(TM) Server VM (build 20.1-b02, mixed mode)

      java version "1.5.0_22"
      Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_22-b03)
      Java HotSpot(TM) Server VM (build 1.5.0_22-b03, mixed mode)



      ADDITIONAL OS VERSION INFORMATION :
      - Microsoft Windows XP [Version 5.1.2600]
      - Linux my-laptop 2.6.32-34-generic #77-Ubuntu SMP Tue Sep 13 19:40:53 UTC 2011 i686 GNU/Linux
      - Linux mypc 2.6.20-1.21 #1 SMP PREEMPT Wed Feb 13 16:55:43 CST 2008 x86_64 x86_64 x86_64 GNU/Linux

      It is reproducible on various Linux and Win operating systems.

      EXTRA RELEVANT SYSTEM CONFIGURATION :
      On Win XP tested with IE 8 and Google Chrome 15.0.
      On Linux 1 (Ubuntu) tested with Firefox 3.6.23 and 15.0.
      On Linux 2 (Red Hat) tested with Mozilla 1.7.13.

      A DESCRIPTION OF THE PROBLEM :
      I have a signed applet that performs XSL transformation. The input XML (in.xml) and XSL (in.xsl) files are read from the local file system and the output of the transformation (out.xml) is also written there.

      When my XSL file contains a reference to an external XML document:
      <xsl:variable name="extXML" select="document('/tmp/A.XML')"/>
      <xsl:value-of select="$extXML/Child"/>
      the transformation fails:

      com.sun.org.apache.xalan.internal.xsltc.TransletException: java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)
      at com.sun.org.apache.xalan.internal.xsltc.dom.LoadDocument.documentF(Unknown Source)
      at in.topLevel()
      at in.transform()
      at com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet.transform(Unknown Source)
      at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(Unknown Source)
      at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(Unknown Source)
      at myxsltapplet.MyXSLTApplet$5.run(MyXSLTApplet.java:173)
      at java.security.AccessController.doPrivileged(Native Method)
      at myxsltapplet.MyXSLTApplet.xsltTransform(MyXSLTApplet.java:162)

      If I don't use/reference external XML document in my XSL the transformation is correctly done.

      I have also tried to use a custom URIResolver implementation but I also get java.security.AccessControlException in the resolve(String href, String base) method.


      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1. Write a simple XSL that uses external XML document like:
      <xsl:variable name="extXML" select="document('/tmp/A.XML')"/>
      <xsl:value-of select="$extXML/Child"/>
      2. Create an applet that performs XSL transformation based on the previously created XLS and a simple XML.
      3. Create a JAR file from this applet and sign it with jarsigner.
      4. Create an start-up HTML file that contains this applet with the appropriate <OBJECT ...> and <EMBED ...> tags to run in a web browser.
      5. Open this HTML in a browser, accept the Security warning of the signed applet.
      6. Run the XSL transformation.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Successful XSL transformation using external XML document in the XSL.
      ACTUAL -
      java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)
      for the external XML document referenced in the XSL.

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      Java Plug-in output with
      deployment.trace=true
      deployment.trace.level=all
      ----------------------------------------------------

      security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.
      security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws
      security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws
      security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws,com.sun.deploy
      security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws,com.sun.deploy
      security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
      security: property package.definition value null
      security: property package.definition new value com.sun.javaws
      security: property package.definition value com.sun.javaws
      security: property package.definition new value com.sun.javaws,com.sun.deploy
      security: property package.definition value com.sun.javaws,com.sun.deploy
      security: property package.definition new value com.sun.javaws,com.sun.deploy,com.sun.jnlp
      security: property package.access value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws,com.sun.deploy,com.sun.jnlp
      security: property package.access new value sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
      security: property package.definition value com.sun.javaws,com.sun.deploy,com.sun.jnlp
      security: property package.definition new value com.sun.javaws,com.sun.deploy,com.sun.jnlp,org.mozilla.jss
      basic: Added progress listener: sun.plugin.util.GrayBoxPainter$GrayBoxProgressListener@8046f4
      basic: Plugin2ClassLoader.addURL parent called for file:/home/testuser/MyXSLTApplet/JARS/myxsltapplet.jar
      network: Cache entry not found [url: file:/home/testuser/MyXSLTApplet/JARS/myxsltapplet.jar, version: null]
      security: Accessing keys and certificate in Mozilla user profile: null
      security: Loading Root CA certificates from /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/security/cacerts
      security: Loaded Root CA certificates from /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/security/cacerts
      security: Loading Deployment certificates from /home/testuser/.java/deployment/security/trusted.certs
      security: Loaded Deployment certificates from /home/testuser/.java/deployment/security/trusted.certs
      security: Loading certificates from Deployment session certificate store
      security: Loaded certificates from Deployment session certificate store
      security: Validate the certificate chain using CertPath API
      security: Obtain certificate collection in Root CA certificate store
      security: Obtain certificate collection in Root CA certificate store
      security: Start to check whether root CA is replaced
      security: The root CA hasnt been replaced
      security: No timestamping info available
      security: Found jurisdiction list file
      security: No need to checking trusted extension for this certificate
      security: The CRL support is disabled
      security: The OCSP support is disabled
      security: This OCSP End Entity validation is disabled
      security: Checking if certificate is in Deployment denied certificate store
      security: Checking if certificate is in Deployment permanent certificate store
      security: Checking if certificate is in Deployment session certificate store
      security: User has granted the priviledges to the code for this session only
      security: Adding certificate in Deployment session certificate store
      security: Added certificate in Deployment session certificate store
      security: Saving certificates in Deployment session certificate store
      security: Saved certificates in Deployment session certificate store
      network: Cache entry not found [url: file:/home/testuser/MyXSLTApplet/JARS/myxsltapplet.jar, version: null]
      security: Loading certificates from Deployment session certificate store
      security: Loaded certificates from Deployment session certificate store
      security: Validate the certificate chain using CertPath API
      security: Obtain certificate collection in Root CA certificate store
      security: Obtain certificate collection in Root CA certificate store
      security: Start to check whether root CA is replaced
      security: The root CA hasnt been replaced
      security: No timestamping info available
      security: Found jurisdiction list file
      security: No need to checking trusted extension for this certificate
      security: The CRL support is disabled
      security: The OCSP support is disabled
      security: This OCSP End Entity validation is disabled
      security: Checking if certificate is in Deployment denied certificate store
      security: Checking if certificate is in Deployment permanent certificate store
      security: Checking if certificate is in Deployment session certificate store
      basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms
      security: Loading certificates from Deployment session certificate store
      security: Loaded certificates from Deployment session certificate store
      security: Validate the certificate chain using CertPath API
      security: Obtain certificate collection in Root CA certificate store
      security: Obtain certificate collection in Root CA certificate store
      security: Start to check whether root CA is replaced
      security: The root CA hasnt been replaced
      security: No timestamping info available
      security: Found jurisdiction list file
      security: No need to checking trusted extension for this certificate
      security: The CRL support is disabled
      security: The OCSP support is disabled
      security: This OCSP End Entity validation is disabled
      security: Checking if certificate is in Deployment denied certificate store
      security: Checking if certificate is in Deployment permanent certificate store
      security: Checking if certificate is in Deployment session certificate store
      basic: Applet loaded.
      basic: Applet resized and added to parent container
      basic: PERF: AppletExecutionRunnable - applet.init() BEGIN ; jvmLaunch dt 135817 us, pluginInit dt 2342483 us, TotalTime: 2478300 us

      rootPath: /home/testuser/MyXSLTApplet
      codeBase: file:/home/testuser/MyXSLTApplet/JARS/
      documentBase: file:/home/testuser/MyXSLTApplet/MyApplet.htm
      xml: /home/testuser/MyXSLTApplet/in.xml, exists: true
      xsl: /home/testuser/MyXSLTApplet/in.xsl, exists: true
      out: /home/testuser/MyXSLTApplet/out.xml, exists: false
      SecurityManager: sun.plugin2.applet.Applet2SecurityManager@1a0b53e
      getSecurityContext(): java.security.AccessControlContext@132021a
      init() - AccessControlContext.checkPermission('java.io.FilePermission', '/tmp/A.XML', 'read') DONE.

      basic: Applet initialized
      basic: Removed progress listener: sun.plugin.util.GrayBoxPainter$GrayBoxProgressListener@8046f4
      basic: Applet made visible
      basic: Starting applet
      basic: completed perf rollup
      basic: Applet started
      basic: Told clients applet is started
      network: Cache entry not found [url: file:/home/testuser/MyXSLTApplet/JARS/, version: null]

      > MyURIResolver.resolve(), href: /tmp/A.XML, base: file:/home/testuser/MyXSLTApplet/in.xsl
      Creating File object: '/tmp/A.XML
      ERROR: 'java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)'
      javax.xml.transform.TransformerException: com.sun.org.apache.xalan.internal.xsltc.TransletException: java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)
      at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:713)
      at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:313)
      at myxsltapplet.MyXSLTApplet.xsltTransform(MyXSLTApplet.java:66)
      at myxsltapplet.MyXSLTApplet.access$000(MyXSLTApplet.java:17)
      at myxsltapplet.MyXSLTApplet$1.actionPerformed(MyXSLTApplet.java:48)
      at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1995)
      at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2318)
      at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:387)
      at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:242)
      at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:236)
      at java.awt.Component.processMouseEvent(Component.java:6288)
      at javax.swing.JComponent.processMouseEvent(JComponent.java:3267)
      at java.awt.Component.processEvent(Component.java:6053)
      at java.awt.Container.processEvent(Container.java:2041)
      at java.awt.Component.dispatchEventImpl(Component.java:4651)
      at java.awt.Container.dispatchEventImpl(Container.java:2099)
      at java.awt.Component.dispatchEvent(Component.java:4481)
      at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4577)
      at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4238)
      at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4168)
      at java.awt.Container.dispatchEventImpl(Container.java:2085)
      at java.awt.Component.dispatchEvent(Component.java:4481)
      at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:643)
      at java.awt.EventQueue.access$000(EventQueue.java:84)
      at java.awt.EventQueue$1.run(EventQueue.java:602)
      at java.awt.EventQueue$1.run(EventQueue.java:600)
      at java.security.AccessController.doPrivileged(Native Method)
      at java.security.AccessControlContext$1.doIntersectionPrivilege(AccessControlContext.java:87)
      at java.security.AccessControlContext$1.doIntersectionPrivilege(AccessControlContext.java:98)
      at java.awt.EventQueue$2.run(EventQueue.java:616)
      at java.awt.EventQueue$2.run(EventQueue.java:614)
      at java.security.AccessController.doPrivileged(Native Method)
      at java.security.AccessControlContext$1.doIntersectionPrivilege(AccessControlContext.java:87)
      at java.awt.EventQueue.dispatchEvent(EventQueue.java:613)
      at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:269)
      at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:184)
      at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:174)
      at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:169)
      at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:161)
      at java.awt.EventDispatchThread.run(EventDispatchThread.java:122)
      Caused by: com.sun.org.apache.xalan.internal.xsltc.TransletException: java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)
      at com.sun.org.apache.xalan.internal.xsltc.dom.LoadDocument.documentF(LoadDocument.java:142)
      at in.topLevel()
      at in.transform()
      at com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet.transform(AbstractTranslet.java:603)
      at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:709)
      ... 39 more
      --------
      com.sun.org.apache.xalan.internal.xsltc.TransletException: java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)
      at com.sun.org.apache.xalan.internal.xsltc.dom.LoadDocument.documentF(LoadDocument.java:142)
      at in.topLevel()
      at in.transform()
      at com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet.transform(AbstractTranslet.java:603)
      at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:709)
      at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:313)
      at myxsltapplet.MyXSLTApplet.xsltTransform(MyXSLTApplet.java:66)
      at myxsltapplet.MyXSLTApplet.access$000(MyXSLTApplet.java:17)
      at myxsltapplet.MyXSLTApplet$1.actionPerformed(MyXSLTApplet.java:48)
      at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1995)
      at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2318)
      at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:387)
      at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:242)
      at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:236)
      at java.awt.Component.processMouseEvent(Component.java:6288)
      at javax.swing.JComponent.processMouseEvent(JComponent.java:3267)
      at java.awt.Component.processEvent(Component.java:6053)
      at java.awt.Container.processEvent(Container.java:2041)
      at java.awt.Component.dispatchEventImpl(Component.java:4651)
      at java.awt.Container.dispatchEventImpl(Container.java:2099)
      at java.awt.Component.dispatchEvent(Component.java:4481)
      at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4577)
      at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4238)



      ( This report has more than 16,000 characters and has been truncated. )

        Attachments

          Activity

            People

            • Assignee:
              joehw Joe Wang
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Imported:
                Indexed: