RFR: 8155775: Re-examine naming of privileged methods to access System properties

Wang Weijun weijun.wang at oracle.com
Tue May 10 06:44:16 UTC 2016


I have a question related.

There are some places in JDK that use doPrivileged to read "os.name" etc. This system property is in the default java.policy file
> On May 2, 2016, at 10:15 PM, Sean Mullan <sean.mullan at oracle.com> wrote:
> 
> This is not an issue in your changes, but the current javadoc for Version.current() says:
> 
> 266      * @throws  SecurityException
> 267      *          If a security manager exists and its {@link
> 268      *          SecurityManager#checkPropertyAccess(String)
> 269      *          checkPropertyAccess} method does not allow access to the
> 270      *          system property "java.version"
> 
> but this can never occur since the code is wrapping the call to System.getProperty("java.version") in doPrivileged, so the caller's permissions are never checked.
> 
> I think that this is a bug in the javadoc of this method and that it should not be specified to throw SecurityException. All code already has permission to read "java.version" in the default java.policy file.

Can you clarify?

If a system property is listed in the default java.policy file, shall we use or not use doPrivileged() to read it inside JDK? I thought the answer is yes because the policy file could be modified.

Thanks
Max





More information about the security-dev mailing list