Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SUN's 1.4.1_03 JVM only: DocumentBuilder throws AccessControlException?

4 views
Skip to first unread message

ra9a...@sneakemail.com

unread,
Jun 12, 2003, 12:42:58 PM6/12/03
to
I've noticed, that this snippet works in browsers running SUN's
1.4.1_02 JVM but not when running 1.4.1_03. What is it that isn't
allowed? Surely applets should be allowed to parse XML, right?

import java.applet.Applet;
import java.lang.*;
import java.io.*;

import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.*;

public class Doc extends Applet {
public void init() {
String docString = "Hello World";
InputStream is = new ByteArrayInputStream(docString.getBytes());
try {
DocumentBuilder builder =
DocumentBuilderFactory.newInstance().newDocumentBuilder();
Document document = builder.parse(is);
} catch (Throwable t) {
System.out.println( "Error occurred");
t.printStackTrace();
}
System.out.println("Tried and got here");
}
}

I get the same error with IE and mozilla for 1.4.1_03:

Error occurred
java.security.AccessControlException: access denied
(java.util.PropertyPermission entityExpansionLimit read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at org.apache.crimson.parser.Parser2.init(Unknown Source)
at org.apache.crimson.parser.Parser2.parse(Unknown Source)
at org.apache.crimson.parser.XMLReaderImpl.parse(Unknown Source)
at org.apache.crimson.jaxp.DocumentBuilderImpl.parse(Unknown Source)
at javax.xml.parsers.DocumentBuilder.parse(Unknown Source)
at Doc.init(Doc.java:16)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Tried and got here

Peter Valdemar Mørch

unread,
Jun 13, 2003, 5:10:11 AM6/13/03
to
Further information and test site:

Try it out for yourself here:
http://demo.capmon.dk/~pvm/docbug/doc.html
http://demo.capmon.dk/~pvm/docbug/ contains .html, .java and .class files.

With 1.4.1_02, it finishes with this exception, which is fine.
org.xml.sax.SAXParseException: Document root element is missing

But 1.4.1_03 throws a
java.security.AccessControlException: access denied
Which is not fine as far as I can see.

Stephen Gilbert

unread,
Jun 19, 2003, 5:42:17 PM6/19/03
to
ra9a...@sneakemail.com wrote in message news:<17243cc8.03061...@posting.google.com>...

> Error occurred
> java.security.AccessControlException: access denied
> (java.util.PropertyPermission entityExpansionLimit read)

In the release notes for JDK 1.4.2 this new property is
explained:

http://java.sun.com/j2se/1.4.2/relnotes.html

Apparently, it was retroactively added to 1.4.1_03, because
the release notes mention a fix for: "Large number of entity
expansions cause 100 % CPU resulting in DoS condition.":

http://developer.java.sun.com/developer/bugParade/bugs/4791146.html

It looks like this new property was not not added to the
list of system properties that can be read from an applet.

--Steve

0 new messages