Here are few tips on how it's possible to run Apache Cocoon under the SecurityManager. I'm assuming here that Cocoon is deployed into the Apache Tomcat 5 application server which is started with:
catalina start -security
So, in order to make Cocoon run in this environment, follow these steps:
WEB-INF/cocoon.xconf
file to replace EHCache with default store implementation: <store logger="core.store" class="org.apache.cocoon.components.store.impl.DefaultStore"> <parameter name="maxobjects" value="1000"/> <parameter name="use-persistent-cache" value="false"/> </store>(EHCache tries to set java.tmp.dir - that shouldn't be allowed.)
WEB-INF/logkit.xconf
and point to directory with write access (I'll use in this example Cocoon working directory): <filename>${work-directory}/logs/cocoon.log</filename>
$CATALINA_HOME/conf/catalina.policy
. Add following entries to the last grant block:
// File Encoding Property permission java.util.PropertyPermission "file.property", "read"; // XML SAX and DOM Parsers Configuration Properties permission java.util.PropertyPermission "org.xml.sax.driver", "read"; permission java.util.PropertyPermission "org.apache.cocoon.components.parser.Parser", "read"; permission java.util.PropertyPermission "org.apache.excalibur.xml.sax.SAXParser", "read"; permission java.util.PropertyPermission "javax.xml.parsers.SAXParserFactory", "read"; permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory", "read"; // XML Catalog Properties permission java.util.PropertyPermission "xml.catalog.ignoreMissing", "read"; permission java.util.PropertyPermission "xml.catalog.files", "read"; permission java.util.PropertyPermission "xml.catalog.staticCatalog", "read"; permission java.util.PropertyPermission "xml.catalog.className", "read"; permission java.util.PropertyPermission "xml.catalog.prefer", "read"; permission java.util.PropertyPermission "user.dir", "read"; // Cocoon ClassLoader permission java.lang.RuntimePermission "createClassLoader";
With the above config, you get nicely working Cocoon core with one caveat: there is some class loading issue with flow, even if you give it all permissions it needs. Weird. If you have luck with it, let me know.
As many people know, Cocoon can be configured with the alternative XSLT processor, SAXON, instead of the default one, Xalan (off topic: when these guys will facelift theirs website???).
But why would you want to go into the trouble of switching the processor? There are several things you might gain (YMMV, as usual):
Other side of the coin includes:
disable-output-escaping
does not work properly. Even though it's evil, sometimes it is necessary. Read below for the fix.If you decided to take a plunge and make a switch, here is how you can do it:
saxon.jar
saxon.jar
into the cocoon/lib/local
folder if you are working with Cocoon SVN checkout or source release download, or into the ./WEB-INF/lib
folder if you are working with Cocoon based web application.cocoon.xconf
and uncomment XSLT processor section: <!--+ | Saxon XSLT Processor | For old (6.5.2) Saxon use: | <parameter name="transformer-factory" value="com.icl.saxon.TransformerFactoryImpl"/> | For new (7+) Saxon use: | <parameter name="transformer-factory" value="net.sf.saxon.TransformerFactoryImpl"/> +--> <component logger="core.xslt-processor" role="org.apache.excalibur.xml.xslt.XSLTProcessor/saxon" class="org.apache.excalibur.xml.xslt.XSLTProcessorImpl"> <parameter name="use-store" value="true"/> <parameter name="transformer-factory" value="net.sf.saxon.TransformerFactoryImpl"/> </component>Check value of the
transformer-factory
parameter.<!-- Xpath Processor: --> <xpath-processor class="org.apache.excalibur.xml.xpath.Saxon7ProcessorImpl" logger="core.xpath-processor"/>
sitemap.xmap
and edit XSLT transformer section:
<!-- NOTE: This is the default XSLT processor. --> <map:transformer name="xslt" logger="sitemap.transformer.xslt" pool-max="32" src="org.apache.cocoon.transformation.TraxTransformer"> <use-request-parameters>false</use-request-parameters> <use-session-parameters>false</use-session-parameters> <use-cookie-parameters>false</use-cookie-parameters> <xslt-processor-role>saxon</xslt-processor-role> <check-includes>true</check-includes> </map:transformer>
disable-output-escaping
and character entities issues noted above, it's possible to switch serializer(s) back to Xalan using this (lesser known) configuration parameter. In the sitemap.xmap, edit your serializer(s) entries like this:
<map:serializer name="html" mime-type="text/html" pool-max="32" logger="sitemap.serializer.html" src="org.apache.cocoon.serialization.HTMLSerializer"> <doctype-public>-//W3C//DTD HTML 4.01 Transitional//EN</doctype-public> <doctype-system>http://www.w3.org/TR/html4/loose.dtd</doctype-system> <encoding>UTF-8</encoding> <transformer-factory>org.apache.xalan.processor.TransformerFactoryImpl</transformer-factory> </map:serializer>I find that it is cleaner to change configuration instead of modifying
saxon.jar
.PS: Environment: JDK 1.4.X, Cocoon 2.1.X, SAXON 7.9.X.