JDom2 not usable within applet #93

Closed
robert-E opened this Issue Sep 12, 2012 · 6 comments

Projects

None yet

2 participants

@robert-E

hi,
since jdom2 using jdom in an applet is not possible anymore because it accesses system properties for which the sandbox does not grant access. I found the following 2 cases:

Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission org.jdom2.output.LineSeparator read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at org.jdom2.output.LineSeparator.getDefaultLineSeparator(LineSeparator.java:163)
at org.jdom2.output.LineSeparator.(LineSeparator.java:156)
... 22 more
Exception: java.lang.RuntimeException: java.lang.ExceptionInInitializerError

Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission org.jdom2.xpath.XPathFactory read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at org.jdom2.xpath.XPathFactory.(XPathFactory.java:101)
... 22 more
Exception: java.lang.RuntimeException: java.lang.ExceptionInInitializerError

The problem is, that both calls of the System.getProperty(..) are made in the declaration of attributes of that classes.

I know that the permissions for the sandbox can be changed but that must be done by each user using that applet. Most users are not allowed to change that permissions by their company rules, so this is no possible solution in my case.

cu,
robert.

@rolfl
Collaborator
rolfl commented Sep 12, 2012

OK, I can follow that this is a problem (I did not realize that System properties were a problem....).

My question is "Where else broken?" I have searched for System.getProperty() and there are only a few places.... but, once I have fixed those, is there some way to test for other issues?

@rolfl rolfl added a commit that referenced this issue Sep 12, 2012
@rolfl rolfl Issue #93 - System.getProperty() not accessible in Applets.
Make access to this process a checked system.
8c92811
@rolfl
Collaborator
rolfl commented Sep 12, 2012

Hi Robert.

Can you please pull the 'fix' package from https://github.com/hunterhacker/jdom/downloads jdom-2.x-issue93.zip and also inspect the code changes. Perhaps you can test it all for us. Give us some feedback.

Thanks

It will take a month before I release 2.0.4....

Rolf

@robert-E

hi rolf,

i've just downloaded your changes and will give you feedback as soon as
possible.

cu,
robert.

Am 12.09.2012 13:20, schrieb Rolf:

Hi Robert.

Can you please pull the 'fix' package from
https://github.com/hunterhacker/jdom/downloads jdom-2.x-issue93.zip
and also inspect the code changes. Perhaps you can test it all for us.
Give us some feedback.

Thanks

It will take a month before I release 2.0.4....

Rolf


Reply to this email directly or view it on GitHub
#93 (comment).


Dipl.-Ing. Robert Eisner

Groiss Informatics GmbH
Strutzmannstrasse 10
A-9020 Klagenfurt
AUSTRIA

Phone: ++43 463 504694-11
Fax: ++43 463 504694-10
E-Mail: robert.eisner@groiss.com
Web: http://www.groiss.com

FN 168125v LG Klagenfurt | UID ATU44898401

@robert-E

hi rolf,

sorry, but i have no idea how to test for other problems in an applet
environment.

It seems that code analysis is the only way to do that. Therefore oracle
provides information what an applet can do and what it cannot:
http://docs.oracle.com/javase/tutorial/deployment/applet/security.html

I hope this will help,
robert.

Am 12.09.2012 12:43, schrieb Rolf:

OK, I can follow that this is a problem (I did not realize that System
properties were a problem....).

My question is "Where else broken?" I have searched for
System.getProperty() and there are only a few places.... but, once I
have fixed those, is there some way to test for other issues?


Reply to this email directly or view it on GitHub
#93 (comment).


Dipl.-Ing. Robert Eisner

Groiss Informatics GmbH
Strutzmannstrasse 10
A-9020 Klagenfurt
AUSTRIA

Phone: ++43 463 504694-11
Fax: ++43 463 504694-10
E-Mail: robert.eisner@groiss.com
Web: http://www.groiss.com

FN 168125v LG Klagenfurt | UID ATU44898401

@robert-E

hi rolf,

Thanks for your prompt fix, the new code looks good and works fine
within my applet.

cu,
robert.

Am 12.09.2012 13:20, schrieb Rolf:

Hi Robert.

Can you please pull the 'fix' package from
https://github.com/hunterhacker/jdom/downloads jdom-2.x-issue93.zip
and also inspect the code changes. Perhaps you can test it all for us.
Give us some feedback.

Thanks

It will take a month before I release 2.0.4....

Rolf


Reply to this email directly or view it on GitHub
#93 (comment).


Dipl.-Ing. Robert Eisner

Groiss Informatics GmbH
Strutzmannstrasse 10
A-9020 Klagenfurt
AUSTRIA

Phone: ++43 463 504694-11
Fax: ++43 463 504694-10
E-Mail: robert.eisner@groiss.com
Web: http://www.groiss.com

FN 168125v LG Klagenfurt | UID ATU44898401

@rolfl
Collaborator
rolfl commented Sep 12, 2012

Issue resolved.... great.

I will leave the jdom-2.x-issue93.zip package available for a while, but I don't want to release 2.0.4 until October at least.... I want to wait for 2.0.3 to get some more exposure first, and I don't consider this issue (#93) to be a massive showstopper (it's been broken since the very first 2.x build, and there's now the hotfix available).

I will do the traditional JDOM 2.x "wait-a-while-in-case-something-else-shows-up" and if nothing else shows up, I will release 2.0.4 with this fix in October sometime.

@rolfl rolfl closed this Sep 12, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment