Merging in SecuritySupport code from the tck-jaxp-1_2_0 branch.

git-svn-id: https://svn.apache.org/repos/asf/xml/commons/trunk@226249 13f79535-47bb-0310-9956-ffa450edef68

java/external/src/org/xml/sax/helpers/SecuritySupport.java

@@ -0,0 +1,95 @@
+/*
+ * Copyright 2002-2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.xml.sax.helpers;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+
+/**
+ * This class is duplicated for each JAXP subpackage so keep it in sync.
+ * It is package private and therefore is not exposed as part of the JAXP
+ * API.
+ *
+ * Base class with security related methods that work on JDK 1.1.
+ */
+class SecuritySupport {
+
+    /*
+     * Make this of type Object so that the verifier won't try to
+     * prove its type, thus possibly trying to load the SecuritySupport12
+     * class.
+     */
+    private static final Object securitySupport;
+
+    static {
+	SecuritySupport ss = null;
+	try {
+	    Class c = Class.forName("java.security.AccessController");
+	    // if that worked, we're on 1.2.
+	    /*
+	     * Unfortunately, we can't load the class using reflection
+	     * because the class is package private.  And the class has
+	     * to be package private so the APIs aren't exposed to other
+	     * code that could use them to circumvent security.  Thus,
+	     * we accept the risk that the direct reference might fail
+	     * on some JDK 1.1 JVMs, even though we would never execute
+	     * this code in such a case.  Sigh...
+	     */
+	    ss = new SecuritySupport12();
+	} catch (Exception ex) {
+	    // ignore it
+	} finally {
+	    if (ss == null)
+		ss = new SecuritySupport();
+	    securitySupport = ss;
+	}
+    }
+
+    /**
+     * Return an appropriate instance of this class, depending on whether
+     * we're on a JDK 1.1 or J2SE 1.2 (or later) system.
+     */
+    public static SecuritySupport getInstance() {
+	return (SecuritySupport)securitySupport;
+    }
+
+    public ClassLoader getContextClassLoader() {
+	return null;
+    }
+
+    public String getSystemProperty(String propName) {
+        return System.getProperty(propName);
+    }
+
+    public FileInputStream getFileInputStream(File file)
+        throws FileNotFoundException
+    {
+        return new FileInputStream(file);
+    }
+
+    public InputStream getResourceAsStream(ClassLoader cl, String name) {
+        InputStream ris;
+        if (cl == null) {
+            ris = ClassLoader.getSystemResourceAsStream(name);
+        } else {
+            ris = cl.getResourceAsStream(name);
+        }
+        return ris;
+    }
+}

java/external/src/org/xml/sax/helpers/SecuritySupport12.java

@@ -0,0 +1,90 @@
+/*
+ * Copyright 2002-2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.xml.sax.helpers;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+
+/**
+ * This class is duplicated for each JAXP subpackage so keep it in sync.
+ * It is package private and therefore is not exposed as part of the JAXP
+ * API.
+ *
+ * Security related methods that only work on J2SE 1.2 and newer.
+ */
+class SecuritySupport12 extends SecuritySupport {
+
+    public ClassLoader getContextClassLoader() {
+	return (ClassLoader)
+		AccessController.doPrivileged(new PrivilegedAction() {
+	    public Object run() {
+		ClassLoader cl = null;
+		try {
+		    cl = Thread.currentThread().getContextClassLoader();
+		} catch (SecurityException ex) { }
+		return cl;
+	    }
+	});
+    }
+
+    public String getSystemProperty(final String propName) {
+	return (String)
+            AccessController.doPrivileged(new PrivilegedAction() {
+                public Object run() {
+                    return System.getProperty(propName);
+                }
+            });
+    }
+
+    public FileInputStream getFileInputStream(final File file)
+        throws FileNotFoundException
+    {
+	try {
+            return (FileInputStream)
+                AccessController.doPrivileged(new PrivilegedExceptionAction() {
+                    public Object run() throws FileNotFoundException {
+                        return new FileInputStream(file);
+                    }
+                });
+	} catch (PrivilegedActionException e) {
+	    throw (FileNotFoundException)e.getException();
+	}
+    }
+
+    public InputStream getResourceAsStream(final ClassLoader cl,
+                                           final String name)
+    {
+        return (InputStream)
+            AccessController.doPrivileged(new PrivilegedAction() {
+                public Object run() {
+                    InputStream ris;
+                    if (cl == null) {
+                        ris = ClassLoader.getSystemResourceAsStream(name);
+                    } else {
+                        ris = cl.getResourceAsStream(name);
+                    }
+                    return ris;
+                }
+            });
+    }
+}

java/external/src/org/xml/sax/helpers/XMLReaderFactory.java

@@ -105,6 +105,7 @@ final public class XMLReaderFactory
     throws SAXException
     {
         String		className = null;
+        SecuritySupport ss = SecuritySupport.getInstance();
         ClassLoader	loader = NewInstance.getClassLoader ();
         
         // 1. try the JVM-instance-wide system property
@@ -113,23 +114,60 @@ final public class XMLReaderFactory
         
         // 2. if that fails, try META-INF/services/
         if (className == null) {
-	    try {
             String      service = "META-INF/services/" + property;
-		InputStream	in;
-		BufferedReader	reader;
             
-		if (loader == null)
+            InputStream is = null;
-		    in = ClassLoader.getSystemResourceAsStream (service);
-		else
-		    in = loader.getResourceAsStream (service);
             
-		if (in != null) {
+            // First try the Context ClassLoader
-		    reader = new BufferedReader (
+            ClassLoader cl = ss.getContextClassLoader();
-			    new InputStreamReader (in, "UTF8"));
+            if (cl != null) {
-		    className = reader.readLine ();
+                is = ss.getResourceAsStream(cl, service);
-		    in.close ();
+                
+                // If no provider found then try the current ClassLoader
+                if (is == null) {
+                    cl = XMLReaderFactory.class.getClassLoader();
+                    is = ss.getResourceAsStream(cl, service);
+                }
+            } else {
+                // No Context ClassLoader or JDK 1.1 so try the current
+                // ClassLoader
+                cl = XMLReaderFactory.class.getClassLoader();
+                is = ss.getResourceAsStream(cl, service);
+            }
+            
+            if (is != null) {
+                
+                // Read the service provider name in UTF-8 as specified in
+                // the jar spec.  Unfortunately this fails in Microsoft
+                // VJ++, which does not implement the UTF-8
+                // encoding. Theoretically, we should simply let it fail in
+                // that case, since the JVM is obviously broken if it
+                // doesn't support such a basic standard.  But since there
+                // are still some users attempting to use VJ++ for
+                // development, we have dropped in a fallback which makes a
+                // second attempt using the platform's default encoding. In
+                // VJ++ this is apparently ASCII, which is a subset of
+                // UTF-8... and since the strings we'll be reading here are
+                // also primarily limited to the 7-bit ASCII range (at
+                // least, in English versions), this should work well
+                // enough to keep us on the air until we're ready to
+                // officially decommit from VJ++. [Edited comment from
+                // jkesselm]
+                BufferedReader rd;
+                try {
+                    rd = new BufferedReader(new InputStreamReader(is, "UTF-8"));
+                } catch (java.io.UnsupportedEncodingException e) {
+                    rd = new BufferedReader(new InputStreamReader(is));
+                }
+                
+                try {
+                    // XXX Does not handle all possible input as specified by the
+                    // Jar Service Provider specification
+                    className = rd.readLine();
+                    rd.close();
+                } catch (Exception x) {
+                    // No provider found
                 } 
-	    } catch (Exception e) {
             }
         }