RFR: JDK-8075706 : Policy implementation does not allow policy.provider to be on the class path
Sean Mullan
sean.mullan at oracle.com
Mon May 4 19:56:30 UTC 2015
On 05/04/2015 01:15 PM, Mandy Chung wrote:
>
>
> On 05/04/2015 05:31 AM, Sean Mullan wrote:
>>
>>> CustomPolicy.implies
>>>
>>> 50 if (pd == policyPd) {
>>> 51 return true;
>>> 52 }
>>>
>>> This is okay for the test. Just for my understanding, for real world
>>> custom policy, should it check the code source in case the sensitive
>>> operation triggering a permission check involving other classes?
>>
>> Permissions are granted per ProtectionDomain (PD) so this is
>> sufficient. However, typically the policy provider would be in a
>> separate PD from other code (for example, by packaging it in a
>> separate JAR file), but this is sufficient for testing purposes. If
>> you remove the lines above from the test, you will get a
>> StackOverflowError.
>
> Right this is sufficient for testing purpose.
>
> My comment is only for my understanding of the internal implementation.
> I see that SecureClassLoader caches one ProtectionDomain per code source
> and so checking "==" PD instance works most of the cases (maybe all
> cases in practice) while a custom class loader could instantiate
> different PD objects to define classes from the same code source.
> Anyway, no change is needed for the test.
Ok. I will be thinking more about this issue later. Right now I just
want to gently fix this issue without changing the code too much :)
--Sean
More information about the security-dev
mailing list