Bug 57673 - AccessControlException accessing org.apache.taglibs.standard.xml.accessExternalEntity
Summary: AccessControlException accessing org.apache.taglibs.standard.xml.accessExtern...
Alias: None
Product: Taglibs
Classification: Unclassified
Component: Standard Taglib (show other bugs)
Version: unspecified
Hardware: PC Mac OS X 10.1
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2015-03-07 15:21 UTC by Jeremy Boynes
Modified: 2015-10-07 15:44 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Boynes 2015-03-07 15:21:48 UTC
http://svn.apache.org/r1658754 added a check of the org.apache.taglibs.standard.xml.accessExternalEntity system property during initialization of XmlUtil. When a SecurityManager is present this check will fail unless permission has been granted for the library to do that.

This may affect applications even if they do not use the XML tags because the he JSTL <c:> core library includes a TLV that parses the XML view of the page at translation time, obtaining the parser from the XmlUtil class. If permission has not been granted then the check fails, a NoClassDefError is thrown, and the JSP compilation will fail.
Comment 1 Jeremy Boynes 2015-03-07 15:25:14 UTC
I propose to fix this by ignoring the AccessControlException and falling back to the default set of protocols i.e. none. To enable additional protocols, users would need to pass that property and grant the library permission to read it.
Comment 2 Jeremy Boynes 2015-03-07 15:44:17 UTC
Fixed in http://svn.apache.org/r1664878 and will be included in 1.2.4