RFR: 8344365: SecurityManager cleanups in java.sql and java.sql.rowset modules

Alan Bateman alanb at openjdk.org
Mon Nov 18 07:18:49 UTC 2024


On Sun, 17 Nov 2024 19:01:24 GMT, Eirik Bjørsnøs <eirbjo at openjdk.org> wrote:

> Please review this PR which cleans up SecurityManager-related code in `java.sql` and `java.sql.rowset` modules post JEP-486
> 
> There are quite a few changes to review, but all relatively straightforward:
> 
> `DriverManager`
> * Remove `SecurityManager::checkPermission` calls in the `setLogWriter`, `setLogStream` and `deregisterDriver` methods
> * Remove two now-unused package private SQLPermission constants
> * `ensureDriversInitialized` is updated to remove `AccessController::doPrivileged` when reading a system property and when initializing drivers
> 
> `CachedRowSetImpl`
> *  Remove `AccessController::doPrivileged` when getting a `SyncFactory` instance
> * `getObject` is update to remove a call to `ReflectUtil::checkPackageAccess`
> 
> `CachedRowSetWriter`
> * A call to `ReflectUtil::checkPackageAccess` is removed.
> 
> `SerialJavaObject`
> *  `getFields` is updated to remove call to `ReflectUtil::checkPackageAccess`. `@CallerSensitive` is no longer needed for this method.
> 
> `SyncFactory`
> * `initMapIfNecessary` is updated to remove call to `AccessController::doPrivileged` when reading system properties and when reading properties from an input stream
> * `getInstance` is updated to remove calls to `ReflectUtil::checkPackageAccess`
> * `setLogger` method is updated to remove call to `SecurityManager::checkPermission`
> * `setJNDIContext` methods are updated to remove call to `SecurityManager::checkPermission`
> 
> `RowsetProvider`
> *  Static initializer is updated to call `System::getProperty` directly
> * `newFactory` is updated to call `System::getProperty` directly
> * `newFactory` is updated to not call `ReflectUtil.checkPackageAccess`
> * `getContextClassLoader` is updated to not call `AccessController::doPrivileged`
> * `getFactoryClass` is updated to not call `ReflectUtil.checkPackageAccess`
> * `getSystemProperty` is removed
> 
> 
> `SQLInputImpl`
> *  A call to `ReflectUtil::checkPackageAccess` is removed
> 
> `XmlReaderContentHandler::endElement`
> * Replace `ReflectUtil.forName` with `Class::forName`
> 
>  `TestPolicy.java` in `test/java/sql/testng/util`
> * This  is now unused and removed
> 
> Ran `test/jdk/java/sql` and `test/jdk/javax/sql` tests locally. GHA results pending.

I think Brent and/or Lance have been working on this already. If you are taking this, can you remove src/java.sql.rowset/share/classes/com/sun/rowset/internal/XmlReaderContentHandler.java from the patch as it introduces a behavioural change that may require further work.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/22185#issuecomment-2482131898


More information about the core-libs-dev mailing list