RFR (JAXP) JDK-8067170: Enable security manager on JAXP unit tests
Daniel Fuchs
daniel.fuchs at oracle.com
Fri Jul 22 07:58:35 UTC 2016
Hi Frank,
I see that in order to be able to run the tests, you were forced
to add a few permissions that the test/test infrastructure need
to setup things:
107 addPermission(new SecurityPermission("getPolicy"));
108 addPermission(new SecurityPermission("setPolicy"));
109 addPermission(new RuntimePermission("getClassLoader"));
110 addPermission(new RuntimePermission("createClassLoader"));
111 addPermission(new RuntimePermission("setSecurityManager"));
112 addPermission(new RuntimePermission("createSecurityManager"));
113 addPermission(new RuntimePermission("modifyThread"));
114 addPermission(new PropertyPermission("*", "read, write"));
115 addPermission(new ReflectPermission("suppressAccessChecks"));
116 addPermission(new RuntimePermission("setIO"));
117 addPermission(new RuntimePermission("setContextClassLoader"));
118 addPermission(new RuntimePermission("accessDeclaredMembers"));
These are quite powerful permissions, and adding them by default
also means that you might miss a bug - if e.g. a doPrivileged is
missing somewhere in the JAXP code when jaxp tries to e.g. get/create
a classloader, or read a system property, you might not see
it.
I had a similar issue when writing logging test, were I wanted
to temporarily disable permission checking in the middle of a test
to perform an infrastructure configuration.
So what I did is use an ThreadLocal<AtomicBoolean> to temporarily
disable permission checking - which allows me in my tests to do things
like:
boolean before = allowAll.get().get();
allowAll.get().set(true);
try {
do something that requires a permission
} finally {
allowAll.get().set(before);
}
My implementation of Policy::implies also checks for
if (allowAll.get().get()) return true;
This allows me to control more tightly the set of permissions
I want my test to run under, while still being able to
perform any action I want to set up things without having
to give the same permission to all.
Hope this helps,
-- daniel
On 22/07/16 07:59, Frank Yuan wrote:
> According to Amy's suggestion, re-generate a webrev http://cr.openjdk.java.net/~fyuan/8067170/webrev.01/ as well as fix some issues,
> please check.
>
> Thanks
> Frank
>
>> -----Original Message-----
>> From: Amy Lu [mailto:amy.lu at oracle.com]
>> Sent: Monday, July 18, 2016 5:42 PM
>> To: Frank Yuan; 'core-libs-dev'
>> Subject: Re: RFR (JAXP) JDK-8067170: Enable security manager on JAXP unit tests
>>
>> On 7/18/16 5:32 PM, Frank Yuan wrote:
>>> Btw, I moved internaltest into unittest because it's unnecessary to separate them.
>>
>> Maybe you'd like to regenerate the webrev with hg move for those files?
>>
>> Thanks,
>> Amy
>
>
More information about the core-libs-dev
mailing list