RFR: JDK-8210274: Source Launcher should work with a security manager

Jonathan Gibbons jonathan.gibbons at oracle.com
Tue Sep 11 20:33:48 UTC 2018



On 09/11/2018 12:53 PM, Sean Mullan wrote:
> I have looked over the changes and they look reasonable, though I am 
> not very familiar with this code.
>
> I was wondering, when running with the PermissiveTestSecurityManager 
> did you also have to enable security debugging (ex: 
> java.security.debug=access) so that you log the permissions that were 
> required? If so, it might be helpful to add that to the comments in 
> the test. If not, how did you figure that out? - it's not immediately 
> apparent when looking at the code.
>
> --Sean 

Sean,

Thanks for looking at this.

I did not need to enable any security debugging when using the 
PermissiveTestSecurityManager. For the most part, the basic security 
infrastructure was good enough by itself, since it reported enough 
information in the SecurityExceptions to be able to easily determine the 
missing but  required permissions. It helped to have a sense of what 
permissions might be required, such file access, system properties, and 
permissions for class loaders and reflections in some limited parts of 
javac, and the corresponding tests in the test suite. The most "tedious" 
part was just running the tests until all the issues had been found and 
fixed, but that being said, the overall process converged pretty quickly.

I will note that PermissiveTestSecurityManager arrived late in the game 
for this work. For the most part, I was using the plain standard 
security manager, and was adding permissions for tests as needed in a 
custom policy file that I also specified on the jtreg command line. That 
work could never have been checked in, since it involved lots of 
host-specific paths in the additional policy file. It was only later on 
that I came up with the idea of using first a custom security manager, 
and from there, the idea of using a custom policy in the custom security 
manager.  The use of PermissiveTestSecurityManager made it much faster 
to find and fix all remaining issues and enabled me to achieve the goal 
of getting all javac tests to work, instead of settling for most tests. 
(I had previously been prepared to set aside and ignore the main block 
of annotation processing tests.)

-- Jon


More information about the compiler-dev mailing list