With the rise in importance of security these days--and especially given
its prominance in J2EE 1.3--some problems have emerged in SAX code that
interacts with system resources, when that SAX code needs to be deployed at
the heart of a J2EE platform.
For instance, when the createXMLReader() method is called on
XMLReaderFactory, various actions that violate many security policies are
triggered: system properties are examined, attempts are made to open jar
files, the clontext class loader is looked up, etc. At best, this can
result in logfiles with many spurious warnings; consequences can be worse
depending on the security policy.
This problem isn't unique to SAX: JAXP, having a similar factory design,
had the same limitations. To fix this, Edwin Goei--same guy partially
responsible for much of the SAX classloading code we have today--committed
some new JAXP code a couple of months back to a branch (java2-branch, for
the curious) of the Apache xml-commons project. The basic idea behind the
code is to wrap all problematic calls in implementations of the
PrivilegedAction interface, using the doPrivileged method of the
AccessController class. JDK 1.1.8 support is maintained by using these new
wrappers only on non-1.1.8 platforms; under 1.1.8, wrappers that don't use
the modern syntax are employed.
So now there exists a JAXP implementation that works happily in J2EE
environments and still runs under JDK 1.1.8. While it is true that it
won't compile under 1.1.8, we've been using this code for over 2 months now
in the Apache Xerces-Java project and have yet to encounter a single
Shortly after Edwin committed his changes to JAXP, I migrated them over to
the SAX implementation contained in Xerces-J. This has been out and about
for at least 2 Xerces releases now, and we haven't heard of any problems.
So, I think the code may be mature enough to present here as a possible
contribution to a future revision of SAX.
Note that this code is a bit different from what's in Xerces; for the
present, we have to ship a back-level version of SAX to remain compliant to
Sun's JAXP 1.2 TCK. Nonetheless, these patches aren't radically different
from what's live in Xerces today, so I think they should work fine. Note
that all affected classes are from the org.xml.sax.helpers package.
(See attached file: SAXPatch.zip)
XML Parser Development
IBM Toronto Lab
Phone: 905-413-3519, T/L 969-3519