1 /*
2 * Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 package common;
25
26 import java.security.AllPermission;
27 import java.security.Permission;
28 import java.security.Permissions;
29
30 import javax.xml.XMLConstants;
31 import javax.xml.transform.TransformerFactory;
32 import javax.xml.validation.SchemaFactory;
33 import javax.xml.xpath.XPathFactory;
34
35 import org.testng.Assert;
36 import org.testng.annotations.Test;
37
38 /*
39 * @bug 7143711
40 * @summary Test set use-service-mechanism shall not override what's set by the constructor in secure mode.
41 */
42 public class Bug7143711Test {
43 static final String SCHEMA_LANGUAGE = "http://java.sun.com/xml/jaxp/properties/schemaLanguage";
44 static final String SCHEMA_SOURCE = "http://java.sun.com/xml/jaxp/properties/schemaSource";
45
46 private static final String DOM_FACTORY_ID = "javax.xml.parsers.DocumentBuilderFactory";
47 private static final String SAX_FACTORY_ID = "javax.xml.parsers.SAXParserFactory";
48
49 // impl specific feature
50 final String ORACLE_FEATURE_SERVICE_MECHANISM = "http://www.oracle.com/feature/use-service-mechanism";
51
52 @Test
53 public void testValidation_SAX_withSM() {
54 System.out.println("Validation using SAX Source with security manager:");
55 System.setProperty(SAX_FACTORY_ID, "MySAXFactoryImpl");
56 Permissions granted = new java.security.Permissions();
57 granted.add(new AllPermission());
58 System.setSecurityManager(new MySM(granted));
59
60 try {
61 SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
62 // should not allow
63 factory.setFeature(ORACLE_FEATURE_SERVICE_MECHANISM, true);
64 if ((boolean) factory.getFeature(ORACLE_FEATURE_SERVICE_MECHANISM)) {
65 Assert.fail("should not override in secure mode");
66 }
67 } catch (Exception e) {
68 Assert.fail(e.getMessage());
69
70 } finally {
71 System.clearProperty(SAX_FACTORY_ID);
72 System.setSecurityManager(null);
73 }
74
75 System.setSecurityManager(null);
76
77 }
78
79 @Test(enabled=false) //skipped due to bug JDK-8080097
80 public void testTransform_DOM_withSM() {
81 System.out.println("Transform using DOM Source; Security Manager is set:");
82
83 Permissions granted = new java.security.Permissions();
84 granted.add(new AllPermission());
85 System.setSecurityManager(new MySM(granted));
86 System.setProperty(DOM_FACTORY_ID, "MyDOMFactoryImpl");
87
88 try {
89 TransformerFactory factory = TransformerFactory.newInstance("com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl",
90 TransformerFactory.class.getClassLoader());
91 factory.setFeature(ORACLE_FEATURE_SERVICE_MECHANISM, true);
92 if ((boolean) factory.getFeature(ORACLE_FEATURE_SERVICE_MECHANISM)) {
93 Assert.fail("should not override in secure mode");
94 }
95
96 } catch (Exception e) {
97 Assert.fail(e.getMessage());
98 } finally {
99 System.clearProperty(DOM_FACTORY_ID);
100 System.setSecurityManager(null);
101 }
102
103 System.clearProperty(DOM_FACTORY_ID);
104 }
105
106 @Test
107 public void testXPath_DOM_withSM() {
108 System.out.println("Evaluate DOM Source; Security Manager is set:");
109 Permissions granted = new java.security.Permissions();
110 granted.add(new AllPermission());
111 System.setSecurityManager(new MySM(granted));
112 System.setProperty(DOM_FACTORY_ID, "MyDOMFactoryImpl");
113
114 try {
115 XPathFactory xPathFactory = XPathFactory.newInstance("http://java.sun.com/jaxp/xpath/dom",
116 "com.sun.org.apache.xpath.internal.jaxp.XPathFactoryImpl", null);
117 xPathFactory.setFeature(ORACLE_FEATURE_SERVICE_MECHANISM, true);
118 if ((boolean) xPathFactory.getFeature(ORACLE_FEATURE_SERVICE_MECHANISM)) {
119 Assert.fail("should not override in secure mode");
120 }
121
122 } catch (Exception e) {
123 Assert.fail(e.getMessage());
124 } finally {
125 System.clearProperty(DOM_FACTORY_ID);
126 System.setSecurityManager(null);
127 }
128
129 System.clearProperty(DOM_FACTORY_ID);
130 }
131
132 @Test
133 public void testSM() {
134 SecurityManager sm = System.getSecurityManager();
135 if (System.getSecurityManager() != null) {
136 System.out.println("Security manager not cleared: " + sm.toString());
137 } else {
138 System.out.println("Security manager cleared: ");
139 }
140 }
141
142 class MySM extends SecurityManager {
143 Permissions granted;
144
145 public MySM(Permissions perms) {
146 granted = perms;
147 }
148
149 @Override
150 public void checkPermission(Permission perm) {
151 if (granted.implies(perm)) {
152 return;
153 }
154 super.checkPermission(perm);
155 }
156
157 }
158
159 }