Java7 Update4中的SecurityManager和XSLT扩展是否已损坏?

时间:2012-05-25 20:10:38

标签: java security xslt java-7 xslt-extension

Java应用程序FreeMind使用XSLT从旧文件更新。 XSLT使用静态java函数来简化字符串操作。这适用于Java 7更新2,并在windows下的java7 update 4中提供以下异常:

STDERR: ERROR:  'The first argument to the non-static Java function 'replaceSpacesToNonbreakableSpaces' is not a valid object reference.'
STDERR: FATAL ERROR:  'Could not compile stylesheet'May 26, 2012 10:50:06 PM freemind.main.Resources logException
SEVERE: An exception occured: 
javax.xml.transform.TransformerConfigurationException: Could not compile stylesheet
    at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl.newTemplates(Unknown Source)
    at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl.newTransformer(Unknown Source)
    at freemind.main.Tools$1TransformerRunnable.run(Tools.java:1023)
    at java.lang.Thread.run(Unknown Source)

将它归结为一个最小的例子,它出现了,自定义的SecurityManager是罪魁祸首。如果设置,则代码失败。如果注释掉,代码就可以了。有谁知道,更新2和更新4之间的java7安全系统有什么变化,还有什么可能导致这种情况?

这是一个更小的例子:

package freemind.main;

import java.io.StringReader;
import java.io.StringWriter;

import javax.xml.transform.Result;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;

public final class FreeMindSecurityTest  {

    public static void main(String[] args) throws Exception {
        // if commented out, this program works as expected.
        System.setSecurityManager(new SecurityManager());
        String input = "<map version=\"0.9.0\">"
                + "</map>";
        String xslt = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
                + "     <xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" xmlns:FreeMindSecurityTest=\"xalan://freemind.main.FreeMindSecurityTest\" exclude-result-prefixes=\"FreeMindSecurityTest\">"
                + "         <xsl:template               match=\"/ | node() | @* | comment() | processing-instruction()\">"
                + "             <xsl:value-of select=\"FreeMindSecurityTest:replaceSpacesToNonbreakableSpaces('test')\"/>"
                + "         </xsl:template>" + "        </xsl:stylesheet>";
        StringWriter writer = new StringWriter();
        final Result result = new StreamResult(writer);

        final StreamSource sr = new StreamSource(new StringReader(input));
        // create an instance of TransformerFactory
        TransformerFactory transFact = TransformerFactory.newInstance();
        Transformer trans = transFact.newTransformer(new StreamSource(
                new StringReader(xslt)));

        trans.transform(sr, result);

        System.out.println("Transformed: " + writer.getBuffer());
        writer.close();
    }

    public static String replaceSpacesToNonbreakableSpaces(String input) {
        return input;
    }



}

简而言之,java认为,该方法不是静态的(但它是)并且错过了对象引用。

来自FreeMind的TIA,Chris

编辑:添加了最短的示例(只需设置正常安全管理器的副本)。

1 个答案:

答案 0 :(得分:2)

JAXP 1.4.6 (in Java 7 Update 4)可能存在错误。 Java 7u4的变化是JAXP 1.4.6升级,请参阅Java Release Notes

解决方法/解决方案(可能不是最佳选择)是通过Java endorsed folder使用Xalan 2.7.1而无需额外补丁。 (将xalan 2.7.1罐子复制到jre/libs/endorsed) 或者使用Xalan作为第三方库。

它适用于Linux64上的J7U4和Xalan 2.7.1 

Transformed: <?xml version="1.0" encoding="UTF-8"?>test
相关问题
最新问题