Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8029438

Ambiguity in handling of XPath/XSLT extension functions between of Oracle's JDK and OpenJDK when Security Manager is present

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P2
    • Resolution: Won't Fix
    • Affects Version/s: OpenJDK6
    • Fix Version/s: None
    • Component/s: xml
    • Labels:

      Description

      According to JAXP 1.4.3 Release Notes [1] and JAXP Compatibility Guide for the
      J2SE 6 Platform [2], the Java SE 6 includes important updates for 'Feature for
      Secure Processing' in JAXP starting from JDK6 Update 18.

      More specifically, [3] states that the extension functions ('XPath and XSLT
      extension functions') are disabled automatically when *Security Manager is
      present* ('-Djava.security.manager').

      However, we're seeing that Oracle's JDK6 Updates after JDK6u18 (e.g. 6u45)
      *don't* throw XPathFunctionException. At the same time the latest OpenJDK6 and
      OpenJDK7 builds and Oracle's JDK 7.0/7u45 do throw it.

      It's also not clear if the external to Java SE 6 specs JAXP docs ([1] and [2]) can be
      considered as authoritative.

      Thereby there is ambiguity between the JAXP compatibility guide, the Java SE 6
      RI, all Oracle JDK 6 implementations (and probably the JAXP specs) and all
      OpenJDK 6 versions for builds 18 and later.

      We believe that such difference in behaviour should be clarified and (possibly) fixed.

      [1] https://jaxp.java.net/1.4/1.4.3/ReleaseNotes.html
      [2] https://jaxp.java.net/1.4/JAXP-Compatibility.html
      [3] https://jaxp.java.net/1.4/JAXP-Compatibility.html#JAXP_security

      Please use the minimized test (attached) to reproduce the difference:

      $ /java/6/binaries/linux-x64/bin/java -Djava.security.manager Test

      $ ./openjdk6/bin/java -version
      openjdk version "1.6.0-internal"
      OpenJDK Runtime Environment (build 1.6.0-internal-ygaevsky_28_nov_2013_19_24-b00)
      OpenJDK 64-Bit Server VM (build 23.25-b01, mixed mode)

      $ /java/6u45/binaries/linux-x64/bin/java -Djava.security.manager Test

      $ ./openjdk6/bin/java -Djava.security.manager Test
      Exception in thread "main" javax.xml.xpath.XPathFunctionException: Extension function: '{test://jaxp/xpath}sqrt' can not be invoked when the XMLConstants.FEATURE_SECURE_PROCESSING feature is set to true.
      at com.sun.org.apache.xpath.internal.jaxp.JAXPExtensionsProvider.extFunction(JAXPExtensionsProvider.java:178)
      at com.sun.org.apache.xpath.internal.functions.FuncExtFunction.execute(FuncExtFunction.java:210)
      at com.sun.org.apache.xpath.internal.XPath.execute(XPath.java:339)
      at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.eval(XPathImpl.java:216)
      at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.evaluate(XPathImpl.java:278)
      at Test.main(Test.java:46)

      $ /java/7/binaries/linux-x64/bin/java -Djava.security.manager Test
      Exception in thread "main" javax.xml.xpath.XPathFunctionException: Extension function: '{test://jaxp/xpath}sqrt' can not be invoked when the XMLConstants.FEATURE_SECURE_PROCESSING feature is set to true.
      at com.sun.org.apache.xpath.internal.jaxp.JAXPExtensionsProvider.extFunction(JAXPExtensionsProvider.java:178)
      at com.sun.org.apache.xpath.internal.functions.FuncExtFunction.execute(FuncExtFunction.java:210)
      at com.sun.org.apache.xpath.internal.XPath.execute(XPath.java:339)
      at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.eval(XPathImpl.java:216)
      at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.evaluate(XPathImpl.java:278)
      at Test.main(Test.java:46)

      $ /java/7u45/binaries/linux-x64/bin/java -Djava.security.manager Test
      Exception in thread "main" javax.xml.xpath.XPathFunctionException: Extension function: '{test://jaxp/xpath}sqrt' can not be invoked when the XMLConstants.FEATURE_SECURE_PROCESSING feature is set to true.
      at com.sun.org.apache.xpath.internal.jaxp.JAXPExtensionsProvider.extFunction(JAXPExtensionsProvider.java:178)
      at com.sun.org.apache.xpath.internal.functions.FuncExtFunction.execute(FuncExtFunction.java:210)
      at com.sun.org.apache.xpath.internal.XPath.execute(XPath.java:339)
      at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.eval(XPathImpl.java:208)
      at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.evaluate(XPathImpl.java:270)
      at Test.main(Test.java:46)

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ikrylov Ivan Krylov
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: