Re: Last Ant Test Failure with JDK9 - JAXP Secure Processing and XSLT Extensions
Thanks Stefan for the update! I'm very glad to know you've gotten all of Ant's tests passed! Best regards, Joe On 9/20/16, 6:46 AM, Stefan Bodewig wrote: Hi Joe On 2016-09-08, Joe Wang wrote: It's great to know you've found the solution! Hopefully this is indeed the last issue for you with JDK 9 :-) I've checked in a fix for the redirect failure [1] into the dev repo. It would probably be included in the next week's build (b136). Please let me know if this doesn't work. [1] https://bugs.openjdk.java.net/browse/JDK-8165116 I can confirm it works, all of Ant's tests pass with b136 :-) Many thanks Stefan
Re: Last Ant Test Failure with JDK9 - JAXP Secure Processing and XSLT Extensions
Hi Joe On 2016-09-08, Joe Wang wrote: > It's great to know you've found the solution! Hopefully this is indeed > the last issue for you with JDK 9 :-) > I've checked in a fix for the redirect failure [1] into the dev > repo. It would probably be included in the next week's build > (b136). Please let me know if this doesn't work. > [1] https://bugs.openjdk.java.net/browse/JDK-8165116 I can confirm it works, all of Ant's tests pass with b136 :-) Many thanks Stefan
Re: Last Ant Test Failure with JDK9 - JAXP Secure Processing and XSLT Extensions
Hi Stefan, It's great to know you've found the solution! Hopefully this is indeed the last issue for you with JDK 9 :-) I've checked in a fix for the redirect failure [1] into the dev repo. It would probably be included in the next week's build (b136). Please let me know if this doesn't work. [1] https://bugs.openjdk.java.net/browse/JDK-8165116 Best, Joe On 9/1/16, 7:37 AM, Stefan Bodewig wrote: On 2016-08-31, Joe Wang wrote: On 8/30/16, 9:34 AM, Stefan Bodewig wrote: On 2016-08-29, Joe Wang wrote: If you are using the built-in extension functions, try turning on the following feature: private static final String ENABLE_EXTENSION_FUNCTIONS = "http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions;; tf.setFeature(ENABLE_EXTENSION_FUNCTIONS, true); This is not supported by Xalan's TransformerFactoryImpl: True, this is an impl-only feature. But Xalan doesn't need it anyways, you may check the factory instance and skip it if it's Xalan. Thanks, you're comment made me take a third look at the test-case in question. I was confused by the setup and overlooked that we explicitly forced the use of the JDK's factory for just a single test. By selectively setting both features I can get the test to pass and am able to use the redirect extension of a version of Xalan on the classloader I specify. I'll need to add suppport for setting features on the TransformerFactory to Ant's task as I'd prefer to not hard-code the features into the task - and enable it for be default. When removing Xalan from the classpath and using the JDK's own TransformerFactory I get , | Error! Use of the extension element 'redirect' is not allowed when the | secure processing feature is set to true. ` even with the feature enabled. So "redirect" - i.e. xmlns:redirect="http://xml.apache.org/xalan/redirect; - which I assumed to be "built-in" for the JDK's fork of Xalan as well - doesn't seem to get through with just that. I'll get this fixed in the next 1 or 2 build. (https://bugs.openjdk.java.net/browse/JDK-8165116) This is great and will simplify things a lot. Many thanks Stefan
Re: Last Ant Test Failure with JDK9 - JAXP Secure Processing and XSLT Extensions
On 2016-08-31, Joe Wang wrote: > On 8/30/16, 9:34 AM, Stefan Bodewig wrote: >> On 2016-08-29, Joe Wang wrote: >>> If you are using the built-in extension functions, try turning on the >>> following feature: >>> private static final String ENABLE_EXTENSION_FUNCTIONS = >>> "http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions;; >>> tf.setFeature(ENABLE_EXTENSION_FUNCTIONS, true); >> This is not supported by Xalan's TransformerFactoryImpl: > True, this is an impl-only feature. But Xalan doesn't need it anyways, > you may check the factory instance and skip it if it's Xalan. Thanks, you're comment made me take a third look at the test-case in question. I was confused by the setup and overlooked that we explicitly forced the use of the JDK's factory for just a single test. By selectively setting both features I can get the test to pass and am able to use the redirect extension of a version of Xalan on the classloader I specify. I'll need to add suppport for setting features on the TransformerFactory to Ant's task as I'd prefer to not hard-code the features into the task - and enable it for be default. >> When removing Xalan from the classpath and using the JDK's own >> TransformerFactory I get >> , >> | Error! Use of the extension element 'redirect' is not allowed when the >> | secure processing feature is set to true. >> ` >> even with the feature enabled. So "redirect" - >> i.e. xmlns:redirect="http://xml.apache.org/xalan/redirect; - which I >> assumed to be "built-in" for the JDK's fork of Xalan as well - doesn't >> seem to get through with just that. > I'll get this fixed in the next 1 or 2 > build. (https://bugs.openjdk.java.net/browse/JDK-8165116) This is great and will simplify things a lot. Many thanks Stefan
Re: Last Ant Test Failure with JDK9 - JAXP Secure Processing and XSLT Extensions
Hi Stefan, On 8/30/16, 9:34 AM, Stefan Bodewig wrote: Hi Joe On 2016-08-29, Joe Wang wrote: If you are using the built-in extension functions, try turning on the following feature: private static final String ENABLE_EXTENSION_FUNCTIONS = "http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions;; tf.setFeature(ENABLE_EXTENSION_FUNCTIONS, true); This is not supported by Xalan's TransformerFactoryImpl: True, this is an impl-only feature. But Xalan doesn't need it anyways, you may check the factory instance and skip it if it's Xalan. /devel/ASF/ant/build.xml:1744: Errors while applying transformations: javax.xml.transform.TransformerConfigurationException: Cannot set the feature 'http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions' on this TransformerFactory. at org.apache.xalan.processor.TransformerFactoryImpl.setFeature(TransformerFactoryImpl.java:413) When removing Xalan from the classpath and using the JDK's own TransformerFactory I get , | Error! Use of the extension element 'redirect' is not allowed when the | secure processing feature is set to true. ` even with the feature enabled. So "redirect" - i.e. xmlns:redirect="http://xml.apache.org/xalan/redirect; - which I assumed to be "built-in" for the JDK's fork of Xalan as well - doesn't seem to get through with just that. I'll get this fixed in the next 1 or 2 build. (https://bugs.openjdk.java.net/browse/JDK-8165116) If you are using user-extension functions, then add the following: private static final String EXTENSION_CLASS_LOADER = "jdk.xml.transform.extensionClassLoader"; tf.setAttribute(EXTENSION_CLASS_LOADER, cl); where cl is the user-specified ClassLoader that will load external extension function classes, e.g. runWithPermission(() -> Thread.currentThread().getContextClassLoader()) This attribute isn't supported by Xalan either. Testing this further is going to require a bit more of setup, I'll be traveling the coming days but will give it a try during the weekend. Unfortunately this is going to be cumbersome for our users as Xalan must not be on the system classloader (I'd get Xalan's TransformerFactory in that case) and tasks that didn't require any classpath management suddenly need a more extensive configration. As I mentioned above, you can skip the JDK-only process when Xalan is on the classpath, check the factory instance or catch the configuration error. Best, Joe Many thanks Stefan
Re: Last Ant Test Failure with JDK9 - JAXP Secure Processing and XSLT Extensions
Hi Joe On 2016-08-29, Joe Wang wrote: > If you are using the built-in extension functions, try turning on the > following feature: > private static final String ENABLE_EXTENSION_FUNCTIONS = > "http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions;; > tf.setFeature(ENABLE_EXTENSION_FUNCTIONS, true); This is not supported by Xalan's TransformerFactoryImpl: /devel/ASF/ant/build.xml:1744: Errors while applying transformations: javax.xml.transform.TransformerConfigurationException: Cannot set the feature 'http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions' on this TransformerFactory. at org.apache.xalan.processor.TransformerFactoryImpl.setFeature(TransformerFactoryImpl.java:413) When removing Xalan from the classpath and using the JDK's own TransformerFactory I get , | Error! Use of the extension element 'redirect' is not allowed when the | secure processing feature is set to true. ` even with the feature enabled. So "redirect" - i.e. xmlns:redirect="http://xml.apache.org/xalan/redirect; - which I assumed to be "built-in" for the JDK's fork of Xalan as well - doesn't seem to get through with just that. > If you are using user-extension functions, then add the following: > private static final String EXTENSION_CLASS_LOADER = > "jdk.xml.transform.extensionClassLoader"; > tf.setAttribute(EXTENSION_CLASS_LOADER, cl); > where cl is the user-specified ClassLoader that will load external > extension function classes, e.g. > runWithPermission(() -> > Thread.currentThread().getContextClassLoader()) This attribute isn't supported by Xalan either. Testing this further is going to require a bit more of setup, I'll be traveling the coming days but will give it a try during the weekend. Unfortunately this is going to be cumbersome for our users as Xalan must not be on the system classloader (I'd get Xalan's TransformerFactory in that case) and tasks that didn't require any classpath management suddenly need a more extensive configration. Many thanks Stefan
Re: Last Ant Test Failure with JDK9 - JAXP Secure Processing and XSLT Extensions
Hi Stefan, If you are using the built-in extension functions, try turning on the following feature: private static final String ENABLE_EXTENSION_FUNCTIONS = "http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions;; tf.setFeature(ENABLE_EXTENSION_FUNCTIONS, true); If you are using user-extension functions, then add the following: private static final String EXTENSION_CLASS_LOADER = "jdk.xml.transform.extensionClassLoader"; tf.setAttribute(EXTENSION_CLASS_LOADER, cl); where cl is the user-specified ClassLoader that will load external extension function classes, e.g. runWithPermission(() -> Thread.currentThread().getContextClassLoader()) HTH, and please let me know if it works for you. Thanks, Joe On 8/28/16, 10:03 AM, Stefan Bodewig wrote: Hi, I've been told to ask for advice here. Over the past few weeks we've adapted the Apache Ant code base to JDK 9 well enough that Ant's own test suite works - almost. The onyl remaining issue really goes back to Java 1.7 and JAXP 1.4 when secure processing was introduced. If you are running an XSLT transform and it needs extensions - say the Xalan redirect extension - you can't do it if a SecurityManager has been set. https://bz.apache.org/bugzilla/show_bug.cgi?id=51668 This is causing quite a few problems for users running Ant from within IDEs which typically install SecurityManagers. One such instance it Ant's own task which uses XSLT and the redirect extension. Back in Java 1.7 we "solved" the problem with a hack. We simply disable secure processing mode via reflection https://github.com/apache/ant/commit/fe829a9d0fa679df3ae2cc4803e5236ed2ed5c7b The module system now breaks the hack as we can no longer access the necessary field via reflection. Before we try to find new clever or stupid workarounds we may as well ask for advice on how to do it properly. This is our use-case: The user wants to execute Ant's-Task from within Eclipse which has installed a SecurityManager and the transform requires an extension. How can we make this work? Cheers Stefan
Last Ant Test Failure with JDK9 - JAXP Secure Processing and XSLT Extensions
Hi, I've been told to ask for advice here. Over the past few weeks we've adapted the Apache Ant code base to JDK 9 well enough that Ant's own test suite works - almost. The onyl remaining issue really goes back to Java 1.7 and JAXP 1.4 when secure processing was introduced. If you are running an XSLT transform and it needs extensions - say the Xalan redirect extension - you can't do it if a SecurityManager has been set. https://bz.apache.org/bugzilla/show_bug.cgi?id=51668 This is causing quite a few problems for users running Ant from within IDEs which typically install SecurityManagers. One such instance it Ant's own task which uses XSLT and the redirect extension. Back in Java 1.7 we "solved" the problem with a hack. We simply disable secure processing mode via reflection https://github.com/apache/ant/commit/fe829a9d0fa679df3ae2cc4803e5236ed2ed5c7b The module system now breaks the hack as we can no longer access the necessary field via reflection. Before we try to find new clever or stupid workarounds we may as well ask for advice on how to do it properly. This is our use-case: The user wants to execute Ant's -Task from within Eclipse which has installed a SecurityManager and the transform requires an extension. How can we make this work? Cheers Stefan
