RFR: (XS) 8162916:Test sun/security/krb5/auto/UnboundSSL.java fails

Artem Smotrakov artem.smotrakov at oracle.com
Wed Aug 17 17:18:48 UTC 2016 

Sorry, my bad, I didn't notice '9-na' label.

I suppose that code from ext directory should have all permissions:

artem at artem-laptop:$ cat ~/jdk/jdk1.8.0_92b14/jre/lib/security/java.policy

// Standard extensions get all permissions by default

grant codeBase "file:${{java.ext.dirs}}/*" {
         permission java.security.AllPermission;
};

// default permissions granted to all domains
...

I am wondering if it would be better it the test didn't override the 
default policy.

Artem

On 08/17/2016 10:12 AM, Seán Coffey wrote:
> Hi Artem,
>
> Sorry - should have said that this is for jdk8u-dev. The bug is marked 
> 9-na. The provider loading changes made in this area for 9 mean that 
> it's not affected.
>
> Regards,
> Sean.
>
> On 17/08/16 18:10, Artem Smotrakov wrote:
>> Hi Sean,
>>
>> If I remember correctly, there is no ext directory in JDK 9 any more.
>>
>> I don't see in jtr file that "java.ext.dirs" system property is 
>> passed to the test. If I understand correctly, 
>> "file:${{java.ext.dirs}}/*" becomes "file:/*" which seems to grand 
>> all permissions to all the code. It doesn't look correct for this test.
>>
>> It looks like the test overrides the default policy, please see in 
>> jtr file
>>
>> -Djava.security.policy==/export/home/gtee/scripts/Results/workDir/scratch_2/unbound.ssl.policy_new 
>> \\
>>
>> If I recall correctly, there should be a way to specify a policy file 
>> in @run without overriding the default one. May be it is "@run 
>> main/othervm/java.security.policy=unbound.ssl.policy_new"
>>
>> Artem
>>
>>
>> On 08/17/2016 09:53 AM, Seán Coffey wrote:
>>> A recently added test case lacks sufficient permissions to read a 
>>> conf file when running with security manager.
>>>
>>> bug report : https://bugs.openjdk.java.net/browse/JDK-8162916
>>>
>>> proposed patch :
>>>  diff --git a/test/sun/security/krb5/auto/unbound.ssl.policy 
>>> b/test/sun/security/krb5/auto/unbound.ssl.policy
>>> --- a/test/sun/security/krb5/auto/unbound.ssl.policy
>>> +++ b/test/sun/security/krb5/auto/unbound.ssl.policy
>>> @@ -1,7 +1,13 @@
>>> +// Standard extensions get all permissions by default
>>> +
>>> +grant codeBase "file:${{java.ext.dirs}}/*" {
>>> +        permission java.security.AllPermission;
>>> +};
>>> +
>>>  grant {
>>>      permission java.util.PropertyPermission "*", "read,write";
>>>      permission java.net.SocketPermission "*:*", 
>>> "listen,resolve,accept,connect";
>>> -    permission java.io.FilePermission "*", "read,write,delete";
>>> +    permission java.io.FilePermission "<<ALL FILES>>", 
>>> "read,write,delete";
>>>      permission java.lang.RuntimePermission "accessDeclaredMembers";
>>>      permission java.lang.reflect.ReflectPermission 
>>> "suppressAccessChecks";
>>>      permission java.lang.RuntimePermission "accessClassInPackage.*";
>>>
>>
>

More information about the security-dev mailing list