RFR: 8338411: Implement JEP 486: Permanently Disable the Security Manager [v2]
Daniel Fuchs
dfuchs at openjdk.org
Tue Oct 22 13:37:36 UTC 2024
On Tue, 22 Oct 2024 11:50:13 GMT, Michael McMahon <michaelm at openjdk.org> wrote:
>> Sean Mullan has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 97 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486' into JDK-8338411
>> - Change apiNote to deprecated annotation on checkAccess methods. Change method dedescription to "Does nothing".
>> - Sanitize the class descriptions of DelegationPermission and ServicePermission
>> by removing text that refers to granting permissions, but avoid changes that
>> affect the API specification, such as the description and format of input
>> parameters.
>> - Restored methods in RMIConnection to throw SecurityExceptions again but
>> with adjusted text that avoids the word "permission".
>> - Add text to class description of MBeanServer stating that implementations
>> may throw SecurityException if authorization doesn't allow access to resource.
>> - Restore text about needing permissions from the desktop environment in the
>> getPixelColor and createScreenCapture methods.
>> - Add api note to getClassContext to use StackWalker instead and
>> add DROP_METHOD_INFO option to StackWalker.
>> - Change checkAccess() methods to be no-ops, rather than throwing
>> SecurityException.
>> - Merge
>> - Merge
>> - ... and 87 more: https://git.openjdk.org/jdk/compare/f50bd0d9...f89d9d09
>
> test/jdk/java/net/URLPermission/OpenURL.java line 30:
>
>> 28: * @run main/othervm OpenURL
>> 29: */
>> 30:
>
> Do we need to keep this test at all? Or if keeping it, does it need the HTTP server simulation, since the bug only relates to the URLPermission instantiation? The test could be reduced to just the URL creation followed by the URLPermission.
It could - but technically openConnection / getInputStream could still throw if there was an issue with the provided URL. The difference here is that with a SecurityManager the connection would be rejected with a SecurityException before the connection was made. Without a security manager, the connection will go through, so you need the server simulation (can't rely on getting IOException assuming nobody would be listening).
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21498#discussion_r1810741690
More information about the nio-dev
mailing list