Classes in jar files referenced from script elements can't see each other

Hi Thomas.

If I have a jar file A.jar that contains this single class:

  public class A implements EventListenerInitializer {
      public void initializeEventListeners(SVGDocument doc)
{
         
System.out.println("A.initializeEventListeners")
;
      }
  }

and another, B.jar, that contains another class:

  public class B implements EventListenerInitializer {
      public void initializeEventListeners(SVGDocument doc)
{
         
System.out.println("B.initializeEventListeners")
;
          try {
              Class.forName("A");
          } catch (Exception ex) {
              ex.printStackTrace();
          }
          System.out.println("done");
      }
  }   

and then reference these from an SVG file:

  <svg xmlns="http://www.w3.org/2000/svg
"
       xmlnslink=
"http://www.w3.org/1999/x
link">
    <script xlink:href="A.jar"
type="application/java-archive"/>
    <script xlink:href="B.jar"
type="application/java-archive"/>
  </svg>

I find that B cannot find the A class (in the Class.forName
call).  Is
this intended?  When two ECMAScript scripts are referenced,
the scripts
can see each other, by virtue of them both running on the
same global
object, so I don't know that it would be bad,
security-wise, to allow B
to create an A object in this manner.  What do you think?

Thanks,

Cameron

-- 
 Cameron McCormack			ICQ: 26955922
 cam (at) mcc.id.au			MSN: cam (at) mcc.id.au
 http://mcc.id.au/			JBR:
heycam (at) jabber.org

------------------------------------------------------------
---------
To unsubscribe, e-mail: batik-dev-unsubscribexmlgraphics.apache.org
For additional commands, e-mail: batik-dev-helpxmlgraphics.apache.org

My apologies if this is a stupid question (so much for the
"There are no
stupid questions") remark. I'd like to use Batik and
I've viewed the
site and building
The JSVGCanvas code but I'd like something more indepth.
Has anyone of
the experts
On this list thought about getting rich and writing a book
on
development with
Batik? If not, are there any books that I have been unable
to find on
developing
With Batik? Any information would be greatly appreciated.

Sincerely,

John Michael Resler
Software Engineer
Wichita Boeing Integrated Defense Systems
Phone : (316) 977-0442
Email : John.M.ReslerBoeing.com

Quidquid latine dictum sit, altum sonatur. 
- Whatever is said in Latin sounds profound.


------------------------------------------------------------
---------
To unsubscribe, e-mail: batik-dev-unsubscribexmlgraphics.apache.org
For additional commands, e-mail: batik-dev-helpxmlgraphics.apache.org

Hi Cameron,

Cameron McCormack <cammcc.id.au> wrote on
03/21/2006 11:56:36 PM:

> If I have a jar file A.jar that contains this single
class:
> and another, B.jar, that contains another class:
> and then reference these from an SVG file:
> 
>   <svg xmlns="http://www.w3.org/2000/svg
"
>        xmlnslink=
"http://www.w3.org/1999/x
link">
>     <script xlink:href="A.jar"
type="application/java-archive"/>
>     <script xlink:href="B.jar"
type="application/java-archive"/>
>   </svg>
> 
> I find that B cannot find the A class (in the
Class.forName call).  Is
> this intended? 

   I don't think so.  This is probably just because we
probably create 
a classloader for each jar if I had to guess.

> When two ECMAScript scripts are referenced, the scripts
> can see each other, by virtue of them both running on
the same global
> object, so I don't know that it would be bad,
security-wise, to allow B
> to create an A object in this manner.  What do you
think?

   I can think of some 'weaknesses' this might introduce
but it would
require one of the jar files to have been granted extra
privileges and
to not be expecting an attacker to be using it.  Which
mostly strikes
me as a "don't do that" kind of thing.
 

------------------------------------------------------------
---------
To unsubscribe, e-mail: batik-dev-unsubscribexmlgraphics.apache.org
For additional commands, e-mail: batik-dev-helpxmlgraphics.apache.org

Hi Thomas.

thomas.deweesekodak.com:
>    I don't think so.  This is probably just because we
probably create 
> a classloader for each jar if I had to guess.

I think that is it, too.  I don't know how easy it is to
share a class
loader but have different URL restrictions for the different
jar files
loaded, but I will investigate.

-- 
 Cameron McCormack			ICQ: 26955922
 cam (at) mcc.id.au			MSN: cam (at) mcc.id.au
 http://mcc.id.au/			JBR:
heycam (at) jabber.org

------------------------------------------------------------
---------
To unsubscribe, e-mail: batik-dev-unsubscribexmlgraphics.apache.org
For additional commands, e-mail: batik-dev-helpxmlgraphics.apache.org

Hi Resler,

"Resler, John M" <john.m.reslerboeing.com> wrote on 03/22/2006 10:32:46 
AM:

> My apologies if this is a stupid question (so much for
the "There are no
> stupid questions") remark. I'd like to use Batik
and I've viewed the
> site and building The JSVGCanvas code but I'd like
something more 
indepth.
> Has anyone of the experts On this list thought about
getting rich and 
> writing a book on development with Batik? 

   Yes, I've thought about it.  Then I talked with a friend
that wrote
a technical book and promptly changed my mind ;)

   Seriously a good treatment of Batik would be a serious
undertaking
to really describe the project you would have to cover at
least a little
of XML, DOM, CSS, SVG,  2D vector graphics, Java2D, Image
processing 
(filters).  Then you could start really talking about the
internals 
of Batik (SVGGraphics2D, JSVGCanvas, GVT, Bridge, SVGDOM,
Transcoders, 
Fonts, Text, Text Layout, Text Flow).  Not that it helps you
to point
out how much material Batik covers, fortunately most users
are really
only need to deal directly with relatively small pieces of
the whole.


   Perhaps the biggest problem I would have if I tried to
write such 
a book is that I would feel compelled to fix the little
'quirks' of 
Batik instead of just documenting them which would make it
almost 
impossible to finish the book as the target would keep
moving ;)

> If not, are there any books that I have been unable to
find on
> developing With Batik? Any information would be greatly
appreciated.

   Unfortunately I can't remember the name of it, but one
of the
SVG books had a chapter on Batik (I don't think it went
into any
serious depth but it might be a better read than our Web
site ;).

   Seriously though the Batik-users mail list archives
(which BTW
is a better place for this discussion) contains TONS of
useful 
information and lots of helpful people. 


------------------------------------------------------------
---------
To unsubscribe, e-mail: batik-dev-unsubscribexmlgraphics.apache.org
For additional commands, e-mail: batik-dev-helpxmlgraphics.apache.org

Cameron McCormack:
> I think that is it, too.  I don't know how easy it is
to share a class
> loader but have different URL restrictions for the
different jar files
> loaded, but I will investigate.

It seems to be easy enough to have a single class loader
that will look
up all of the jar files referenced in the document (just a
change to
DocumentJarClassLoader so it can specify multiple jar file
URLs).

But the main problem is that in allowing all the classes to
be defined
by the same class loader, there is the possibility of
conflicts.  This
could also be with resources in the jars.  A specific
example is that to
get the manifest file out to find the SVG-Handler-Class
entry separate
class loaders are needed.  Afterwards, a single class loader
could be
used for defining the classes.

Do you think this is acceptable?

-- 
 Cameron McCormack			ICQ: 26955922
 cam (at) mcc.id.au			MSN: cam (at) mcc.id.au
 http://mcc.id.au/			JBR:
heycam (at) jabber.org

------------------------------------------------------------
---------
To unsubscribe, e-mail: batik-dev-unsubscribexmlgraphics.apache.org
For additional commands, e-mail: batik-dev-helpxmlgraphics.apache.org

Hi Cameron,

Cameron McCormack <cammcc.id.au> wrote on
03/23/2006 08:17:53 PM:

> Cameron McCormack:
> > I think that is it, too.  I don't know how easy
it is to share a class
> > loader but have different URL restrictions for the
different jar files
> > loaded, but I will investigate.
> 
> It seems to be easy enough to have a single class
loader that will look
> up all of the jar files referenced in the document
(just a change to
> DocumentJarClassLoader so it can specify multiple jar
file URLs).
> 
> But the main problem is that in allowing all the
classes to be defined
> by the same class loader, there is the possibility of
conflicts. 

    I'm not that worried about accidental conflicts (that
is why we
use packages right?).  I wonder a little if it might make
additional
attacks possible (rather than getting the intended class it
might get
another implementation of the class from a second jar). 
Still unless
one of the jars has elevated privileges I don't see what
could be done...

> This could also be with resources in the jars.  A
specific example is 
that to
> get the manifest file out to find the SVG-Handler-Class
entry separate
> class loaders are needed.

   Is it really?  I would think that
ClassLoader.getResources would find
all of the manifest files.  You might then have to do some
filtering
to figure out which one needs to be read...

> Afterwards, a single class loader could be used for
defining the 
classes.
> 
> Do you think this is acceptable?

 

> 
> -- 
>  Cameron McCormack         ICQ: 26955922
>  cam (at) mcc.id.au         MSN: cam (at) mcc.id.au
>  http://mcc.id.au/     
   JBR: heycam (at) jabber.org
> 
>
------------------------------------------------------------
---------
> To unsubscribe, e-mail: batik-dev-unsubscribexmlgraphics.apache.org
> For additional commands, e-mail: batik-dev-helpxmlgraphics.apache.org
> 


------------------------------------------------------------
---------
To unsubscribe, e-mail: batik-dev-unsubscribexmlgraphics.apache.org
For additional commands, e-mail: batik-dev-helpxmlgraphics.apache.org

Thomas DeWeese:
>    Is it really?  I would think that
ClassLoader.getResources would find
> all of the manifest files.  You might then have to do
some filtering
> to figure out which one needs to be read...

Oh right, cool.

-- 
 Cameron McCormack			ICQ: 26955922
 cam (at) mcc.id.au			MSN: cam (at) mcc.id.au
 http://mcc.id.au/			JBR:
heycam (at) jabber.org

------------------------------------------------------------
---------
To unsubscribe, e-mail: batik-dev-unsubscribexmlgraphics.apache.org
For additional commands, e-mail: batik-dev-helpxmlgraphics.apache.org