I would like to get help on signed applet + XSL transformation
I have a signed applet (with 1 JAR file) that performs XSL transformation where the input XML, the XSL and the output is read/written on the local file system. I have already tried it with JRE
- 1.5.0_22
- 1.6.0_29
- 1.7.0_01
and the result is the same:
When my XSL file contains a reference to an external XML document:
<xsl:variable name="extXML" select="document('/tmp/A.XML')"/>
<xsl:value-of select="$extXML/Child"/>
the transformation fails:
com.sun.org.apache.xalan.internal.xsltc.TransletException: java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)
at com.sun.org.apache.xalan.internal.xsltc.dom.LoadDocument.documentF(LoadDocument.java:142)
at in.topLevel()
at in.transform()
at com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet.transform(AbstractTranslet.java:603)
at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:709)
at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:313)
at myxsltapplet.MyXSLTApplet.xsltTransform(MyXSLTApplet.java:66)
If this reference to external XML document is commented out everything work just fine. Using a policy file solves this problem but unfortunately this is not an option.
I have implemented a URIResolver that I set for the TransformerFactory but I also get AccessControlException in it.
In the applet I have retrieved the SecurityManager and its AccessControlContext and logged out their hashcode:
SecurityManager: sun.plugin2.applet.Applet2SecurityManager@103fcaa
getSecurityContext(): java.security.AccessControlContext@17b2b2
I did the same in my URIResolver implementation and the AccessControlContext has changed:
SecurityManager: sun.plugin2.applet.Applet2SecurityManager@103fcaa
getSecurityContext(): java.security.AccessControlContext@ede64c
Calling checkPermission on the original AccessControlContext runs without exception.
Calling checkPermission on the new AccessControlContext accessible in my URIResolver:
AccessControlContext acc = (AccessControlContext) System.getSecurityManager().getSecurityContext();
acc.checkPermission(new FilePermission("/tmp/A.XML", "read"));
throws:
ERROR: 'java.security.AccessControlException: access denied (java.io.FilePermission /tmp/A.XML read)'
Is it a normal thing or a bug? Thanks for any idea,
Software that runs in the browser is normally prevented from accessing local files. Here are some explanations of why: