P2
According to JAXP 1.4.3 Release Notes [1] and JAXP Compatibility Guide for the
J2SE 6 Platform [2], the Java SE 6 includes important updates for 'Feature for
Secure Processing' in JAXP starting from JDK6 Update 18.
More specifically, [3] states that the extension functions ('XPath and XSLT
extension functions') are disabled automatically when *Security Manager is
present* ('-Djava.security.manager').
However, we're seeing that Oracle's JDK6 Updates after JDK6u18 (e.g. 6u45)
*don't* throw XPathFunctionException. At the same time the latest OpenJDK6 and
OpenJDK7 builds and Oracle's JDK 7.0/7u45 do throw it.
It's also not clear if the external to Java SE 6 specs JAXP docs ([1] and [2]) can be
considered as authoritative.
Thereby there is ambiguity between the JAXP compatibility guide, the Java SE 6
RI, all Oracle JDK 6 implementations (and probably the JAXP specs) and all
OpenJDK 6 versions for builds 18 and later.
We believe that such difference in behaviour should be clarified and (possibly) fixed.
[1] https://jaxp.java.net/1.4/1.4.3/ReleaseNotes.html
[2] https://jaxp.java.net/1.4/JAXP-Compatibility.html
[3] https://jaxp.java.net/1.4/JAXP-Compatibility.html#JAXP_security
Please use the minimized test (attached) to reproduce the difference:
$ /java/6/binaries/linux-x64/bin/java -Djava.security.manager Test
$ ./openjdk6/bin/java -version
openjdk version "1.6.0-internal"
OpenJDK Runtime Environment (build 1.6.0-internal-ygaevsky_28_nov_2013_19_24-b00)
OpenJDK 64-Bit Server VM (build 23.25-b01, mixed mode)
$ /java/6u45/binaries/linux-x64/bin/java -Djava.security.manager Test
$ ./openjdk6/bin/java -Djava.security.manager Test
Exception in thread "main" javax.xml.xpath.XPathFunctionException: Extension function: '{test://jaxp/xpath}sqrt' can not be invoked when the XMLConstants.FEATURE_SECURE_PROCESSING feature is set to true.
at com.sun.org.apache.xpath.internal.jaxp.JAXPExtensionsProvider.extFunction(JAXPExtensionsProvider.java:178)
at com.sun.org.apache.xpath.internal.functions.FuncExtFunction.execute(FuncExtFunction.java:210)
at com.sun.org.apache.xpath.internal.XPath.execute(XPath.java:339)
at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.eval(XPathImpl.java:216)
at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.evaluate(XPathImpl.java:278)
at Test.main(Test.java:46)
$ /java/7/binaries/linux-x64/bin/java -Djava.security.manager Test
Exception in thread "main" javax.xml.xpath.XPathFunctionException: Extension function: '{test://jaxp/xpath}sqrt' can not be invoked when the XMLConstants.FEATURE_SECURE_PROCESSING feature is set to true.
at com.sun.org.apache.xpath.internal.jaxp.JAXPExtensionsProvider.extFunction(JAXPExtensionsProvider.java:178)
at com.sun.org.apache.xpath.internal.functions.FuncExtFunction.execute(FuncExtFunction.java:210)
at com.sun.org.apache.xpath.internal.XPath.execute(XPath.java:339)
at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.eval(XPathImpl.java:216)
at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.evaluate(XPathImpl.java:278)
at Test.main(Test.java:46)
$ /java/7u45/binaries/linux-x64/bin/java -Djava.security.manager Test
Exception in thread "main" javax.xml.xpath.XPathFunctionException: Extension function: '{test://jaxp/xpath}sqrt' can not be invoked when the XMLConstants.FEATURE_SECURE_PROCESSING feature is set to true.
at com.sun.org.apache.xpath.internal.jaxp.JAXPExtensionsProvider.extFunction(JAXPExtensionsProvider.java:178)
at com.sun.org.apache.xpath.internal.functions.FuncExtFunction.execute(FuncExtFunction.java:210)
at com.sun.org.apache.xpath.internal.XPath.execute(XPath.java:339)
at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.eval(XPathImpl.java:208)
at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.evaluate(XPathImpl.java:270)
at Test.main(Test.java:46)
J2SE 6 Platform [2], the Java SE 6 includes important updates for 'Feature for
Secure Processing' in JAXP starting from JDK6 Update 18.
More specifically, [3] states that the extension functions ('XPath and XSLT
extension functions') are disabled automatically when *Security Manager is
present* ('-Djava.security.manager').
However, we're seeing that Oracle's JDK6 Updates after JDK6u18 (e.g. 6u45)
*don't* throw XPathFunctionException. At the same time the latest OpenJDK6 and
OpenJDK7 builds and Oracle's JDK 7.0/7u45 do throw it.
It's also not clear if the external to Java SE 6 specs JAXP docs ([1] and [2]) can be
considered as authoritative.
Thereby there is ambiguity between the JAXP compatibility guide, the Java SE 6
RI, all Oracle JDK 6 implementations (and probably the JAXP specs) and all
OpenJDK 6 versions for builds 18 and later.
We believe that such difference in behaviour should be clarified and (possibly) fixed.
[1] https://jaxp.java.net/1.4/1.4.3/ReleaseNotes.html
[2] https://jaxp.java.net/1.4/JAXP-Compatibility.html
[3] https://jaxp.java.net/1.4/JAXP-Compatibility.html#JAXP_security
Please use the minimized test (attached) to reproduce the difference:
$ /java/6/binaries/linux-x64/bin/java -Djava.security.manager Test
$ ./openjdk6/bin/java -version
openjdk version "1.6.0-internal"
OpenJDK Runtime Environment (build 1.6.0-internal-ygaevsky_28_nov_2013_19_24-b00)
OpenJDK 64-Bit Server VM (build 23.25-b01, mixed mode)
$ /java/6u45/binaries/linux-x64/bin/java -Djava.security.manager Test
$ ./openjdk6/bin/java -Djava.security.manager Test
Exception in thread "main" javax.xml.xpath.XPathFunctionException: Extension function: '{test://jaxp/xpath}sqrt' can not be invoked when the XMLConstants.FEATURE_SECURE_PROCESSING feature is set to true.
at com.sun.org.apache.xpath.internal.jaxp.JAXPExtensionsProvider.extFunction(JAXPExtensionsProvider.java:178)
at com.sun.org.apache.xpath.internal.functions.FuncExtFunction.execute(FuncExtFunction.java:210)
at com.sun.org.apache.xpath.internal.XPath.execute(XPath.java:339)
at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.eval(XPathImpl.java:216)
at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.evaluate(XPathImpl.java:278)
at Test.main(Test.java:46)
$ /java/7/binaries/linux-x64/bin/java -Djava.security.manager Test
Exception in thread "main" javax.xml.xpath.XPathFunctionException: Extension function: '{test://jaxp/xpath}sqrt' can not be invoked when the XMLConstants.FEATURE_SECURE_PROCESSING feature is set to true.
at com.sun.org.apache.xpath.internal.jaxp.JAXPExtensionsProvider.extFunction(JAXPExtensionsProvider.java:178)
at com.sun.org.apache.xpath.internal.functions.FuncExtFunction.execute(FuncExtFunction.java:210)
at com.sun.org.apache.xpath.internal.XPath.execute(XPath.java:339)
at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.eval(XPathImpl.java:216)
at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.evaluate(XPathImpl.java:278)
at Test.main(Test.java:46)
$ /java/7u45/binaries/linux-x64/bin/java -Djava.security.manager Test
Exception in thread "main" javax.xml.xpath.XPathFunctionException: Extension function: '{test://jaxp/xpath}sqrt' can not be invoked when the XMLConstants.FEATURE_SECURE_PROCESSING feature is set to true.
at com.sun.org.apache.xpath.internal.jaxp.JAXPExtensionsProvider.extFunction(JAXPExtensionsProvider.java:178)
at com.sun.org.apache.xpath.internal.functions.FuncExtFunction.execute(FuncExtFunction.java:210)
at com.sun.org.apache.xpath.internal.XPath.execute(XPath.java:339)
at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.eval(XPathImpl.java:208)
at com.sun.org.apache.xpath.internal.jaxp.XPathImpl.evaluate(XPathImpl.java:270)
at Test.main(Test.java:46)