RFR [9] 7067728: Remove stopThread default java.policy

Chris Hegarty chris.hegarty at oracle.com
Thu Jan 14 17:19:59 UTC 2016


On 14 Jan 2016, at 16:52, Mandy Chung <mandy.chung at oracle.com> wrote:

>> On Jan 14, 2016, at 2:05 AM, Chris Hegarty <chris.hegarty at oracle.com> wrote:
>> 
>> The "stopThread” RuntimePermission is granted by default. The Thread.stop
>> methods have been deprecated for more than 15 years. It seems reasonable,
>> in a major release, to remove the default grant of stopThread.
> 
> +1 to remove "stopThread” RuntimePermission from java.policy.

Thanks for the review Mandy.

> There are existing tests whose grants this "stopThread” RuntimePermission that may not be needed for the test.  The test policy likely copies that from the default system java.policy.  We should update these test policy as well.

I do see a few of these, and some will need discussion. Ok if I file a separate
bug on these, they are not directly related to this change, and do still pass, just
that the permission is superfluous.

>>> I would have expected some tests to need modifying here (or other places!).
>> 
>> I haven’t seen any test failures resulting from this change ( not sure
>> if that is a good or a bad thing! ).  Though, there were several implementation
>> bugs that needed to be resolved before being able to remove default grant.
> 
> jtreg policy tag overrides the system default security policy with the specified file.  Tests that call Thread::stop and tested with security manager must have  "stopThread” RuntimePermission set in the test policy.  jtreg was enhanced to add a new java.security.policy tag to extend the system security policy [1].  

Thanks for this explanation. I always get confused with how jtreg supports
this.

> Only tests using java.security.policy tag and calling Thread::stop will need to be modified.

I can find no such tests.

-Chris.

> Mandy
> [1] https://bugs.openjdk.java.net/browse/CODETOOLS-7900898



More information about the security-dev mailing list