RFR [9] 7067728: Remove stopThread default java.policy

David Holmes david.holmes at oracle.com
Thu Jan 14 10:37:34 UTC 2016


Hi Chris,

I would have expected some tests to need modifying here (or other places!).

David

On 14/01/2016 8:05 PM, Chris Hegarty wrote:
> The "stopThread” RuntimePermission is granted by default. The Thread.stop
> methods have been deprecated for more than 15 years. It seems reasonable,
> in a major release, to remove the default grant of stopThread.
>
> diff --git a/src/java.base/share/conf/security/java.policy b/src/java.base/share/conf/security/java.policy
> --- a/src/java.base/share/conf/security/java.policy
> +++ b/src/java.base/share/conf/security/java.policy
> @@ -94,17 +94,6 @@
>   // default permissions granted to all domains
>
>   grant {
> -        // Allows any thread to stop itself using the java.lang.Thread.stop()
> -        // method that takes no argument.
> -        // Note that this permission is granted by default only to remain
> -        // backwards compatible.
> -        // It is strongly recommended that you either remove this permission
> -        // from this policy file or further restrict it to code sources
> -        // that you specify, because Thread.stop() is potentially unsafe.
> -        // See the API specification of java.lang.Thread.stop() for more
> -        // information.
> -        permission java.lang.RuntimePermission "stopThread";
> -
>
> As a result of this change, untrusted code calling Thread.stop will throw a
> SecurityException, as it will not have the required permission. The solution,
> from the deployers perspective, is to add "stopThread” RuntimePermission
> to the policy file.
>
> -Chris.
>



More information about the security-dev mailing list