RFR: 8154009: Some methods of java.security.Security require more permissions, than necessary
Sean Mullan
sean.mullan at oracle.com
Thu Jun 2 18:53:31 UTC 2016
Looks good.
--Sean
On 06/01/2016 10:56 AM, Artem Kosarev wrote:
> Hi Sean.
>
> Thanks for suggestion.
>
> New WebRev: http://cr.openjdk.java.net/~akosarev/8154009/webrev.01/
>
> There are only 2 changes from original one:
> 1) *test/java/security/Security/EmptyPolicy.policy* was updated in the
> way you proposed.
> 2) I removed 2 tests from *test/ProblemList.txt*, which were marked as
> failed due to JDK-8154009 (current fix).
>
> Best regards,
> Artem Kosarev.
>
> **
> On 01.06.2016 17:03, Sean Mullan wrote:
>> I think it would be helpful to add a comment to EmptyPolicy.policy so
>> it contains something, ex:
>>
>> // empty policy file for testing
>>
>> Otherwise, looks fine.
>>
>> --Sean
>>
>> On 05/30/2016 09:03 AM, Artem Kosarev wrote:
>>> Hello.
>>>
>>> Could you please review the proposed fix issue which is NOT applicable
>>> for JDK 9:
>>>
>>> BUGURL: https://bugs.openjdk.java.net/browse/JDK-8154009
>>> WEBREV: http://cr.openjdk.java.net/~akosarev/8154009/webrev.00/
>>>
>>> PROBLEM:
>>> **/AddProvider/, /RemoveProvider///& /GetProviders///methods
>>> of*//**/java.security.Security/* class results in calling
>>> /doLoadProvider /method of *ProviderConfig *class for each Security
>>> Provider.
>>> And in this method we have a problem that it catches and processes
>>> *Exception*, but doesn't process *ExceptionInInitializerError *which is
>>> thrown in case of missing permissions:
>>> permission java.lang.RuntimePermission "loadLibrary.*";
>>> permission java.io.FilePermission "<<ALL FILES>>", "read";
>>> permission java.lang.RuntimePermission
>>> "accessClassInPackage.sun.security.*";
>>> Those permissions are unavailable if we switch-off
>>> *jre/lib/security/java.policy* file by running program with option:
>>> /-Djava.security.policy==<policy_file>/
>>>
>>> FIX:
>>> In JDK9 *ProviderConfig *class is changed in the scope of
>>> JDK-8043406 <https://bugs.openjdk.java.net/browse/JDK-8043406>
>>> enhancement (that is why JDK-8154009 is not applicable for JDK 9).
>>> And in order to fix above problem in JDK 8 we just require to take
>>> same changes for *ProviderConfig *class in JDK 9:
>>> See changeset from JDK 9:
>>> http://hg.openjdk.java.net/jdk9/dev/jdk/diff/7f8294841146/src/share/classes/sun/security/jca/ProviderConfig.java
>>>
>>>
>>> REGRESSION TESTS:
>>> 2 existing tests (*AddProvider*, *RemoveStaticProvider*) were used
>>> and modified so that they provide testing for fixed situation
>>> (additional permissions are not required any longer for /AddProvider
>>> /&**/RemoveProvider /methods.)
>>> 1 new test was written for checking /GetProviders /method under
>>> restricted permissions.
>>>
>>> Changes were successfully tested by JPRT.
>>>
>>> Best regards,
>>> Artem Kosarev.
>>
>
More information about the security-dev
mailing list