Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JDom2 not usable within applet #93

Closed
robert-E opened this issue Sep 12, 2012 · 6 comments
Closed

JDom2 not usable within applet #93

robert-E opened this issue Sep 12, 2012 · 6 comments

Comments

@robert-E
Copy link

hi,
since jdom2 using jdom in an applet is not possible anymore because it accesses system properties for which the sandbox does not grant access. I found the following 2 cases:

Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission org.jdom2.output.LineSeparator read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at org.jdom2.output.LineSeparator.getDefaultLineSeparator(LineSeparator.java:163)
at org.jdom2.output.LineSeparator.(LineSeparator.java:156)
... 22 more
Exception: java.lang.RuntimeException: java.lang.ExceptionInInitializerError

Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission org.jdom2.xpath.XPathFactory read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at org.jdom2.xpath.XPathFactory.(XPathFactory.java:101)
... 22 more
Exception: java.lang.RuntimeException: java.lang.ExceptionInInitializerError

The problem is, that both calls of the System.getProperty(..) are made in the declaration of attributes of that classes.

I know that the permissions for the sandbox can be changed but that must be done by each user using that applet. Most users are not allowed to change that permissions by their company rules, so this is no possible solution in my case.

cu,
robert.

@rolfl
Copy link
Collaborator

rolfl commented Sep 12, 2012

OK, I can follow that this is a problem (I did not realize that System properties were a problem....).

My question is "Where else broken?" I have searched for System.getProperty() and there are only a few places.... but, once I have fixed those, is there some way to test for other issues?

rolfl added a commit that referenced this issue Sep 12, 2012
Make access to this process a checked system.
@rolfl
Copy link
Collaborator

rolfl commented Sep 12, 2012

Hi Robert.

Can you please pull the 'fix' package from https://github.com/hunterhacker/jdom/downloads jdom-2.x-issue93.zip and also inspect the code changes. Perhaps you can test it all for us. Give us some feedback.

Thanks

It will take a month before I release 2.0.4....

Rolf

@robert-E
Copy link
Author

hi rolf,

i've just downloaded your changes and will give you feedback as soon as
possible.

cu,
robert.

Am 12.09.2012 13:20, schrieb Rolf:

Hi Robert.

Can you please pull the 'fix' package from
https://github.com/hunterhacker/jdom/downloads jdom-2.x-issue93.zip
and also inspect the code changes. Perhaps you can test it all for us.
Give us some feedback.

Thanks

It will take a month before I release 2.0.4....

Rolf


Reply to this email directly or view it on GitHub
#93 (comment).


Dipl.-Ing. Robert Eisner

Groiss Informatics GmbH
Strutzmannstrasse 10
A-9020 Klagenfurt
AUSTRIA

Phone: ++43 463 504694-11
Fax: ++43 463 504694-10
E-Mail: robert.eisner@groiss.com
Web: http://www.groiss.com

FN 168125v LG Klagenfurt | UID ATU44898401

@robert-E
Copy link
Author

hi rolf,

sorry, but i have no idea how to test for other problems in an applet
environment.

It seems that code analysis is the only way to do that. Therefore oracle
provides information what an applet can do and what it cannot:
http://docs.oracle.com/javase/tutorial/deployment/applet/security.html

I hope this will help,
robert.

Am 12.09.2012 12:43, schrieb Rolf:

OK, I can follow that this is a problem (I did not realize that System
properties were a problem....).

My question is "Where else broken?" I have searched for
System.getProperty() and there are only a few places.... but, once I
have fixed those, is there some way to test for other issues?


Reply to this email directly or view it on GitHub
#93 (comment).


Dipl.-Ing. Robert Eisner

Groiss Informatics GmbH
Strutzmannstrasse 10
A-9020 Klagenfurt
AUSTRIA

Phone: ++43 463 504694-11
Fax: ++43 463 504694-10
E-Mail: robert.eisner@groiss.com
Web: http://www.groiss.com

FN 168125v LG Klagenfurt | UID ATU44898401

@robert-E
Copy link
Author

hi rolf,

Thanks for your prompt fix, the new code looks good and works fine
within my applet.

cu,
robert.

Am 12.09.2012 13:20, schrieb Rolf:

Hi Robert.

Can you please pull the 'fix' package from
https://github.com/hunterhacker/jdom/downloads jdom-2.x-issue93.zip
and also inspect the code changes. Perhaps you can test it all for us.
Give us some feedback.

Thanks

It will take a month before I release 2.0.4....

Rolf


Reply to this email directly or view it on GitHub
#93 (comment).


Dipl.-Ing. Robert Eisner

Groiss Informatics GmbH
Strutzmannstrasse 10
A-9020 Klagenfurt
AUSTRIA

Phone: ++43 463 504694-11
Fax: ++43 463 504694-10
E-Mail: robert.eisner@groiss.com
Web: http://www.groiss.com

FN 168125v LG Klagenfurt | UID ATU44898401

@rolfl
Copy link
Collaborator

rolfl commented Sep 12, 2012

Issue resolved.... great.

I will leave the jdom-2.x-issue93.zip package available for a while, but I don't want to release 2.0.4 until October at least.... I want to wait for 2.0.3 to get some more exposure first, and I don't consider this issue (#93) to be a massive showstopper (it's been broken since the very first 2.x build, and there's now the hotfix available).

I will do the traditional JDOM 2.x "wait-a-while-in-case-something-else-shows-up" and if nothing else shows up, I will release 2.0.4 with this fix in October sometime.

@rolfl rolfl closed this as completed Sep 12, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants