users@jax-rpc.java.net

bug report: JAX-RPC v1.0_01 has probs with SecurityManager

From: Eddie Ruvinsky <ruvinsky_at_YAHOO.COM>
Date: Tue, 19 Nov 2002 18:27:34 -0800

Hello, I'm not sure where to report bugs, but below is
a summary of a security problem associated with the
implementation of JAX-RPC v1.0_01.

I tried running JAX-RPC v1.0_01 by bundling it as part
of a webapp in Tomcat 4.0.5 with a SecurityManager
enabled, and found [at least] that the following
security properties needed to be granted for JAX-RPC
to work with my application:

permission java.util.PropertyPermission
"com.sun.xml.rpc.streaming.XMLWriterFactory", "read";

permission java.util.PropertyPermission
"com.sun.xml.rpc.streaming.XMLReaderFactory", "read";

This appears to be an implementation bug, as the code
does not have system property read or write access
otherwise.

So, the JAX-RPC implementation should not assume it
has access to read or write to any Java system
properties, especially since it could be bundled as
part of multiple webapps coexisting in one servlet
container. If it tries to read one optionally, it
should wrap a try/catch around the read operation and
handle/trap the security exception case accordingly.

Thanks,
Eddie

__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com