RFR: 8338411: Implement JEP 486: Permanently Disable the Security Manager [v6]
ExE Boss
duke at openjdk.org
Sat Nov 2 22:42:07 UTC 2024
On Wed, 30 Oct 2024 19:28:32 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> This is the implementation of JEP 486: Permanently Disable the Security Manager. See [JEP 486](https://openjdk.org/jeps/486) for more details. The [CSR](https://bugs.openjdk.org/browse/JDK-8338412) describes in detail the main changes in the JEP and also includes an apidiff of the specification changes.
>>
>> NOTE: the majority (~95%) of the changes in this PR are test updates (removal/modifications) and API specification changes, the latter mostly to remove `@throws SecurityException`. The remaining changes are primarily the removal of the `SecurityManager`, `Policy`, `AccessController` and other Security Manager API implementations. There is very little new code.
>>
>> The code changes can be broken down into roughly the following categories:
>>
>> 1. Degrading the behavior of Security Manager APIs to either throw Exceptions by default or provide an execution environment that disallows access to all resources by default.
>> 2. Changing hundreds of methods and constructors to no longer throw a `SecurityException` if a Security Manager was enabled. They will operate as they did in JDK 23 with no Security Manager enabled.
>> 3. Changing the `java` command to exit with a fatal error if a Security Manager is enabled.
>> 4. Removing the hotspot native code for the privileged stack walk and the inherited access control context. The remaining hotspot code and tests related to the Security Manager will be removed immediately after integration - see [JDK-8341916](https://bugs.openjdk.org/browse/JDK-8341916).
>> 5. Removing or modifying hundreds of tests. Many tests that tested Security Manager behavior are no longer relevant and thus have been removed or modified.
>>
>> There are a handful of Security Manager related tests that are failing and are at the end of the `test/jdk/ProblemList.txt`, `test/langtools/ProblemList.txt` and `test/hotspot/jtreg/ProblemList.txt` files - these will be removed or separate bugs will be filed before integrating this PR.
>>
>> Inside the JDK, we have retained calls to `SecurityManager::getSecurityManager` and `AccessController::doPrivileged` for now, as these methods have been degraded to behave the same as they did in JDK 23 with no Security Manager enabled. After we integrate this JEP, those calls will be removed in each area (client-libs, core-libs, security, etc).
>>
>> I don't expect each reviewer to review all the code changes in this JEP. Rather, I advise that you only focus on the changes for the area (client-libs, core-libs, net, ...
>
> Sean Mullan has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 200 commits:
>
> - Merge remote-tracking branch 'jdk-sandbox/jep486' into JDK-8338411
> - Modify three RMI tests to work without the security manager:
> - test/jdk/java/rmi/registry/classPathCodebase/ClassPathCodebase.java
> - test/jdk/java/rmi/registry/readTest/CodebaseTest.java
> - test/jdk/java/rmi/server/RMIClassLoader/useCodebaseOnly/UseCodebaseOnly.java
> Also remove them from the problem list.
> - Remove two obsolete RMI tests:
> - test/jdk/java/rmi/server/RMIClassLoader/spi/ContextInsulation.java
> - test/jdk/sun/rmi/transport/tcp/disableMultiplexing/DisableMultiplexing.java
> Adjust two tests to run without the Security Manager:
> - test/jdk/java/rmi/server/RMIClassLoader/loadProxyClasses/LoadProxyClasses.java
> - test/jdk/java/rmi/server/RMIClassLoader/spi/DefaultProperty.java
> Remove all of these tests from the problem list.
> - In staticPermissionsOnly(), change "current policy binding" to "current policy" so wording is consistent with the API note that follows.
> - Added API Notes to ProtectionDomain clarifying that the current policy always
> grants no permissions. A few other small changes to Policy and PD.
> - Merge branch 'master' into jep486
> - JAXP tests: organize imports of a few tests
> - Improve description of Executors.privilegedThreadFactory
> - rename TestAppletLoggerContext.java as suggested in util test review
> - clientlibs: Javadoc cleanup
> - ... and 190 more: https://git.openjdk.org/jdk/compare/158ae51b...7958ee2b
src/java.base/share/classes/java/lang/System.java line 1364:
> 1362: * <br>
> 1363: * It is the responsibility of the provider of
> 1364: * the concrete {@code LoggerFinder} implementation to ensure that
This is still a part of the paragraph related to the security manager.
src/java.base/share/classes/java/lang/System.java line 2338:
> 2336: * Invoked by VM. Phase 3 is the final system initialization:
> 2337: * 1. eagerly initialize bootstrap method factories that might interact
> 2338: * negatively with custom security managers and custom class loaders
They might still interact negatively with custom class loaders though.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21498#discussion_r1826864120
PR Review Comment: https://git.openjdk.org/jdk/pull/21498#discussion_r1826863295
More information about the core-libs-dev
mailing list