Bug 51668 - <junitreport> broken on JDK 7 when a SecurityManager is set
Summary: <junitreport> broken on JDK 7 when a SecurityManager is set
Alias: None
Product: Ant
Classification: Unclassified
Component: Optional Tasks (show other bugs)
Version: 1.8.2
Hardware: PC Linux
: P2 major (vote)
Target Milestone: 1.8.3
Assignee: Ant Notifications List
Depends on: 52382
  Show dependency tree
Reported: 2011-08-16 22:06 UTC by Jesse Glick
Modified: 2016-10-18 11:01 UTC (History)
2 users (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Jesse Glick 2011-08-16 22:06:37 UTC
Fails with: "Use of the extension element 'redirect' is not allowed when the secure processing feature is set to true."

Originally filed under https://netbeans.org/bugzilla/show_bug.cgi?id=201022 but it turns out to apply to any environment in which there is a system security manager set.

JDK 7's TransformerFactoryImpl constructor introduced:

        if (System.getSecurityManager() != null) {
            _isSecureMode = true;
            _isNotSecureProcessing = false;

which conflicts with <redirect:write>.

See also: http://jaxp.java.net/1.4/JAXP-Compatibility.html#JAXP_security (bug #6863312 is "not publicly available")
Comment 1 Jesse Glick 2011-08-16 22:29:07 UTC
Unfortunately just calling tfactory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", false) in TraXLiaison.getFactory does not work:

javax.xml.transform.TransformerConfigurationException: FEATURE_SECURE_PROCESSING: Cannot set the feature to false when security manager is present.
	at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl.setFeature(TransformerFactoryImpl.java:417)
Comment 2 Jesse Glick 2011-08-16 22:55:50 UTC
Only workaround seems to be to use reflection to override the state of _isNotSecureProcessing.
Comment 3 Jesse Glick 2011-08-16 23:08:19 UTC
Fixed: revision 1158470
Comment 4 Markus Keller 2012-08-10 09:46:18 UTC
(In reply to comment #3)
> Fixed: revision 1158470

This fix has NOT been shipped with Ant 1.8.3 nor 1.8.4, see e.g.

This bug is supposed to fix https://bugs.eclipse.org/bugs/show_bug.cgi?id=384757
Comment 5 Jesse Glick 2012-08-10 12:09:58 UTC
The fix is indeed in 1.8.3; you need to see http://svn.apache.org/viewvc?view=revision&revision=1222724 from bug #52382 for the revised patch (since the change to AggregateTransformer.java was reverted).

Whether this patch is "supposed" to fix the Eclipse bug you quote, or indeed if that bug is even related, is a question which I do not know the answer to; if you continue to have problems in Eclipse using 1.8.3+ then probably you should file a separate bug report after doing some investigation to confirm that the problem lies in Ant code.
Comment 6 Markus Keller 2012-08-10 14:10:35 UTC
OK, thanks for the infos and sorry for interrupting.

It looks like this workaround is not enough to fix the bug we're seeing in Eclipse. I'll follow up there and see if there's abetter fix for the root cause in the Oracle JDK when a SecurityManager is present.
Comment 7 Jesse Glick 2013-03-06 02:16:46 UTC
(In reply to comment #6)
> not enough to fix the bug we're seeing in Eclipse

bug #54641
Comment 8 Stefan Bodewig 2016-07-31 08:02:35 UTC
It looks as if the bug was back with JDK9-ea128, looking into it.
Comment 9 Stefan Bodewig 2016-08-28 17:30:08 UTC
(In reply to Stefan Bodewig from comment #8)
> It looks as if the bug was back with JDK9-ea128, looking into it.