http://xml.apache.org/http://www.apache.org/http://www.w3.org/

Home

Overview
FAQ
License
Download
Install
Demo

In the news

Tools and Apps
Browser
Rasterizer
Font Converter
Pretty-printer

Architecture
API (Javadoc)
Generator
DOM API
JSVGCanvas
Transcoder API

Scripting Intro
Scripting Features
Java Scripting
Security

Extensions

Testing

Contributors
Mail Lists

CVS Repository
Bug Database

Status

Glossary


Introduction

With the addition of scripting support in Batik 1.5, security features have also been added to enable users of the Batik toolkit to run scripts in a secure manner. There are two major security features in Batik:


Running scripts securely

The Java platform offers a lot of options for running applications securely. Running an application securely requires that it runs in a so-called security sand-box which controls all the access the application makes to restricted resources (such as the file system).

The concept of Java security is an application-wide concept. As such, it has to be applied at the application level (and not at the framework level). In the Batik distribution, the sample applications (such as the Squiggle Browser or the SVG rasterizer) apply security (or disable it) but the framework does not apply it: it is security-aware (meaning that it is able to handle security exceptions).

Enforcing security in a Batik application

Enforcing security in a Batik application is done by setting a java.lang.SecurityManager. This security manager will apply the security settings of the Java platform (as defined by the [jre-dir]/lib/security/java.policy and, optionally, by the policy file whose url is defined in the java.security.policy system property).

The org.apache.batik.util.ApplicationSecurityEnforcer helper class makes it easier for Batik application developers to add security support in their applications. That helper class is used by the sample Batik applications.


Squiggle security

The Squiggle browser lets the user decide whether or not scripts should be run securely (see the "Browser Options" in the preference dialog box). When scripts are run securely, Squiggle will enforce the security settings as follows:

  • The default policy is defined by the policy file found in the distribution: org/apache/batik/apps/svgbrowser/svgbrowser.policy. In the binary distribution, that file would be in the batik-svgbrowser.jar file. In the source distribution, that file would be in the resources directory. The default policy file gives appropriate permissions to the Batik code, the XML parser and the Rhino scripting engine and very limited permissions to scripts.
  • At startup time, and whenever the preference settings are modified, Squiggle makes a copy of the default policy and appends any additional permissions granted to scripts by the user through the preference settings. This policy file can be found in the [user.home]/.batik directory. It is called __svgbrowser.policy. Note that this file is automatically generated and should not be modified manually (as any edits would be lost).
  • The policy defined as described above is enforced unless the java.security.policy system property is defined. In that case, the policy defined by the system property takes precedence and the policy file generated from the Squiggle preferences is ignored.

Important Note

The default policy files assume that the applications use the Crimson parser and give appropriate permissions to its lib/crimson-parser.jar JAR file. If you are using a different XML parser, you need to modify the policy files to grant the propser permissions to your XML parser instead of Crimson. You will have to replace: 

grant codeBase "${app.dev.base}/lib/crimson-parser.jar" {
  permission java.security.AllPermission;
};

with:

grant codeBase "${app.dev.base}/lib/myXMLParser.jar" {
  permission java.security.AllPermission;
};

in the resources/org/apache/batik/apps/svgbrowser/resources/svgbrowser.policy file (for the source distribution) and do the same in resources/org/apache/batik/apps/svgbrowser/resources/svgbrowser.bin.policy (for the binary distribution which will then need to be rebuilt with the build dist-zip command.

Alternatively, you can write your own policy file and specify its url through the java.security.policy system property (which you can specify through the -Djava.security.policy=<url> command line option).



Controlling access to external resources

SVG makes a very powerful use of external resources in many elements such as <image>, <use>, <font>, <script> or <radialGradients>. There are over fifteen SVG elements which may reference external resources that way.

In some environments, and typically for security reasons, it is important to control the resources referenced by an SVG document and be able to accept or reject these resources.

In the Batik toolkit, this flexibility is provided by the org.apache.batik.bridge.UserAgent interface which can define various strategies with regards to external resources. By providing a new implementation of the UserAgent interface, it is possible to apply the desired security strategy for scripts and external resources.

The following UserAgent methods a provided for that purpose:

  • getScriptSecurity(scriptType, scriptURL, docURL) should return the ScriptSecurity strategy for a script of type scriptType (e.g., text/ecmascript) coming from scriptURL. when referenced from the document whose url is docURL.
  • getExternalResourceSecurity(resourceURL, docURL) should return the ExternalResourceSecurity for a resource coming from resourceURL referenced from the document at url docURL

The ScriptSecurity and ExternalResourceSecurity interfaces have methods (checkLoadScript and checkLoadExternalResource respectively) which should throw a SecurityException if the script or resource is considered a security threat.

Notethe UserAgent interface has two additional methods (checkLoadScript and checkLoadExternalResource which are meant to provide a short hand for getting a security strategy object and calling the checkLoadXXX method on that object. This is how the org.apache.batik.bridge.UserAgentAdapter implements this method.

Batik provides the following set of ScriptSecurity implementations:

  • NoLoadScriptSecurity. The scrip resource should not be loaded
  • EmbededScriptSecurity. The script resource will only be loaded if it is embeded in the SVG document referencing it. This means that script attributes (such as onclick on a <rect> element is allowed), inline <script> elements and <script> elements using a data: url (i.e., the script content is Base 64 encoded into the script's xlink:href's value) will be allowed. All other script resources should not be loaded.
  • DefaultScriptSecurity. The script resource will only be loaded if it is embeded in the SVG document (see the description of EmbededScriptSecurity) or if it is coming from the same location as the document referencing the script. If the document comes from a network server, then any script coming from that server will be allowed. If the document comes from the file system, then only scripts under the same directory root as the SVG document will be allowed.
  • RelaxedScriptSecurity. Scripts from any location can be loaded.

In addition, Batik provides the following set of ExternalResourceSecurity implementations:

  • NoLoadExternalResourceSecurity. No external references are allowed
  • EmbededExternalResourceSecurity. Only resources embeded into the file are allowed (i.e., references through the data: protocol
  • DefaultExternalResourceSecurity. Embeded external resources (see above) and resources coming from the same location as the document referencing them are allowed.
  • RelaxedExternalResourceSecurity. Resources from any location can be loaded.


Copyright © 2000-2002 The Apache Software Foundation. All Rights Reserved.