57673 – AccessControlException accessing org.apache.taglibs.standard.xml.accessExternalEntity

Bug 57673 - AccessControlException accessing org.apache.taglibs.standard.xml.accessExternalEntity

Summary: AccessControlException accessing org.apache.taglibs.standard.xml.accessExtern...

Status:	RESOLVED FIXED

Alias:	None

Product:	Taglibs
Classification:	Unclassified
Component:	Standard Taglib (show other bugs)
Version:	unspecified
Hardware:	PC Mac OS X 10.1

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-03-07 15:21 UTC by Jeremy Boynes
Modified:	2015-10-07 15:44 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeremy Boynes 2015-03-07 15:21:48 UTC

http://svn.apache.org/r1658754 added a check of the org.apache.taglibs.standard.xml.accessExternalEntity system property during initialization of XmlUtil. When a SecurityManager is present this check will fail unless permission has been granted for the library to do that.

This may affect applications even if they do not use the XML tags because the he JSTL <c:> core library includes a TLV that parses the XML view of the page at translation time, obtaining the parser from the XmlUtil class. If permission has not been granted then the check fails, a NoClassDefError is thrown, and the JSP compilation will fail.

Comment 1 Jeremy Boynes 2015-03-07 15:25:14 UTC

I propose to fix this by ignoring the AccessControlException and falling back to the default set of protocols i.e. none. To enable additional protocols, users would need to pass that property and grant the library permission to read it.

Comment 2 Jeremy Boynes 2015-03-07 15:44:17 UTC

Fixed in http://svn.apache.org/r1664878 and will be included in 1.2.4