RFR 8168075: Custom system class loader + security manager + malformed policy file = recursive initialization

Sean Mullan sean.mullan at oracle.com
Mon Jan 23 17:15:20 UTC 2017 

On 1/19/17 10:28 AM, Adam Petcher wrote:
> My last attempt to solve this problem didn't work because some classes
> needed for string formatting were not loaded by init level 3 in some
> cases. So I had to backtrack and try a different approach.
>
> This patch avoids localization and message formatting when the VM is not
> booted. In this case, non-localized messages are printed, and simplified
> message formatting code is used. Once the VM is loaded, messages are
> localized and formatted in the usual way.
>
> http://cr.openjdk.java.net/~apetcher/8168075/webrev.01/

Looks good, just a couple of comments:

- PolicyUtil.getLocalizedMessage

Don't think you need this method, since 
LocalizedMessage.getLocalizedString is public.

- LocalizedMessage.java

Not sure I see the need for the constructor or toLocalizedString method, 
as I think you can just call getLocalizedString, ex:

     LocalizedMessage localizedMsg = new LocalizedMessage
         ("alias.name.not.provided.pe.name.");
     Object[] source = {pe.name};
     throw new Exception(localizedMsg.toLocalizedString(source));

becomes:

     throw new 
Exception(LocalizedMessage.getLocalizedString("alias.name.not.provided.pe.name.", 
source));

(saves creating an extra object).

- MessageFormatting.java

Minor nit: please use "java.security.policy==error.policy" instead of 
"policy=error.policy" The java.security.policy is a newer jtreg option 
that matches the syntax of the java.security.policy option. I'd like to 
discourage use of the policy option going forward.

Thanks,
Sean


>
>
> On 1/11/2017 8:34 AM, Adam Petcher wrote:
>> Please review the following bug fix:
>>
>> http://cr.openjdk.java.net/~apetcher/8168075/webrev.00/
>>
>> This fixes a bug in which a permission check would try to load
>> resources while the system class loader is being initialized.
>> Resources cannot be loaded at this time, so this change ensures that
>> the resources are loaded earlier.
>>
>

More information about the security-dev mailing list