[9] RFR: 8168423: Test Task: Custom system class loader + security manager + malformed policy file = recursive initialization

Sibabrata Sahoo sibabrata.sahoo at oracle.com
Thu Feb 9 07:45:18 UTC 2017


Hi Sean,

Here is the updated webrev: http://cr.openjdk.java.net/~ssahoo/8168423/webrev.02/

The only change between the previous is,

The bugid is reverted back from 8168075 to 8168423. The reason is it fails jcheck with the following message,
remote: Bugid 8168075 already used in this repository, in revision 16548

Regarding the following comment on " grant codeBase "file:./jars/*" ", we have already discussed and we are fine here to not make any change.

Thanks,
Siba

-----Original Message-----
From: Sean Mullan 
Sent: Wednesday, February 08, 2017 10:00 PM
To: Sibabrata Sahoo; Adam Petcher; security-dev at openjdk.java.net
Subject: Re: [9] RFR: 8168423: Test Task: Custom system class loader + security manager + malformed policy file = recursive initialization

On 2/7/17 4:26 AM, Sibabrata Sahoo wrote:
> Hi Sean,
>
> Please find the updated webrev at: 
> http://cr.openjdk.java.net/~ssahoo/8168075/webrev.01/
>
> It includes the following changes,
> 1) valid.policy, uses 'grant codebase "executable jar path"'.

Hmm, the use of '.' in the codebase URL is probably not good practice here and I'm a little concerned it may not always work. Try this instead:

grant codeBase "file:${test.classes}/-"

A trailing "/-" matches all files (both class and JAR files) in the directory and recursively all files in subdirectories contained in that directory.

--Sean

> 2) In ClassLoaderTest.java, @bug renamed from 8168423 to 8168075.
> 3) In ClassLoaderTest.java, the code comments has been removed from @summary section. But it retains the same at line: 91-102.
>
> Thanks,
> Siba
>
> -----Original Message-----
> From: Sean Mullan
> Sent: Friday, January 27, 2017 12:07 AM
> To: Sibabrata Sahoo; Adam Petcher; security-dev at openjdk.java.net
> Subject: Re: [9] RFR: 8168423: Test Task: Custom system class loader + 
> security manager + malformed policy file = recursive initialization
>
> Hi Siba,
>
> In valid.policy, use 'grant codeBase "file:${test.classes}/*"' so that only the tests are granted the needed permissions.
>
> In  ClassLoaderTest.java, the @bug should be 8168075. Also, the @summary contains a bunch of lines (29-39) that should probably just be code comments.
>
> Seems fine otherwise.
>
> --Sean
>
>
> On 1/11/17 10:33 AM, Sibabrata Sahoo wrote:
>> Hi Adam/Sean,
>>
>>
>>
>> This patch is waiting for your review.
>>
>>
>>
>> Thanks,
>>
>> Siba
>>
>>
>>
>> *From:*Sibabrata Sahoo
>> *Sent:* Friday, December 02, 2016 6:56 PM
>> *To:* Sean Mullan; security-dev at openjdk.java.net
>> *Subject:* [9] RFR: 8168423: Test Task: Custom system class loader + 
>> security manager + malformed policy file = recursive initialization
>>
>>
>>
>> Hi,
>>
>>
>>
>> Please review the patch for,
>>
>>
>>
>> JBS: https://bugs.openjdk.java.net/browse/JDK-8168423
>>
>> Webrev: http://cr.openjdk.java.net/~ssahoo/8168423/webrev.00/
>>
>>
>>
>> Description:
>>
>> This webrev address all possible cases for Classloader with 
>> SecurityManager having combination of valid/malformed policy file.
>> This Test is going to fail until JDK-8168075 get fixed. In the mean 
>> time, it can be used to verify the fix for JDK-8168075.
>>
>>
>>
>> Here is the generic Logic behind generating all possible Test cases 
>> with different combination of policy file, class loader and module types.
>>
>> for(policyFile : {"NO_POLICY", "VALID", "MALFORMED"}) {
>>
>>     for(classLoader : {"SystemClassLoader", "CustomClassLoader"}){
>>
>>        // It uses possible set of regular/modular jars to generate 
>> all possible Test cases in -cp and -module-path.
>>
>>         for(clientModuletype : {"STRICT", "AUTO", "UNKNOWN"}) {
>>
>>             for(classLoaderModuleType : {"STRICT", "AUTO", 
>> "UNKNOWN"}) {
>>
>>                  Create and run java command line for each possible 
>> Test cases and verify result.
>>
>>             }
>>
>>         }
>>
>>     }
>>
>> }
>>
>>
>>
>> Thanks,
>>
>> Siba
>>
>>
>>



More information about the security-dev mailing list