RFR: JDK-8075706 : Policy implementation does not allow policy.provider to be on the class path

Sean Mullan sean.mullan at oracle.com
Mon May 4 19:56:30 UTC 2015


On 05/04/2015 01:15 PM, Mandy Chung wrote:
>
>
> On 05/04/2015 05:31 AM, Sean Mullan wrote:
>>
>>> CustomPolicy.implies
>>>
>>>    50         if (pd == policyPd) {
>>>    51             return true;
>>>    52         }
>>>
>>> This is okay for the test.  Just for my understanding, for real world
>>> custom policy, should it check the code source in case the sensitive
>>> operation triggering a permission check involving other classes?
>>
>> Permissions are granted per ProtectionDomain (PD) so this is
>> sufficient. However, typically the policy provider would be in a
>> separate PD from other code (for example, by packaging it in a
>> separate JAR file), but this is sufficient for testing purposes. If
>> you remove the lines above from the test, you will get a
>> StackOverflowError.
>
> Right this is sufficient for testing purpose.
>
> My comment is only for my understanding of the internal implementation.
> I see that SecureClassLoader caches one ProtectionDomain per code source
> and so checking "==" PD instance works most of the cases (maybe all
> cases in practice) while a custom class loader could instantiate
> different PD objects to define classes from the same code source.
> Anyway, no change is needed for the test.

Ok. I will be thinking more about this issue later. Right now I just 
want to gently fix this issue without changing the code too much :)

--Sean





More information about the security-dev mailing list