RFR 8168075: Custom system class loader + security manager + malformed policy file = recursive initialization
Sean Mullan
sean.mullan at oracle.com
Mon Jan 23 17:15:20 UTC 2017
On 1/19/17 10:28 AM, Adam Petcher wrote:
> My last attempt to solve this problem didn't work because some classes
> needed for string formatting were not loaded by init level 3 in some
> cases. So I had to backtrack and try a different approach.
>
> This patch avoids localization and message formatting when the VM is not
> booted. In this case, non-localized messages are printed, and simplified
> message formatting code is used. Once the VM is loaded, messages are
> localized and formatted in the usual way.
>
> http://cr.openjdk.java.net/~apetcher/8168075/webrev.01/
Looks good, just a couple of comments:
- PolicyUtil.getLocalizedMessage
Don't think you need this method, since
LocalizedMessage.getLocalizedString is public.
- LocalizedMessage.java
Not sure I see the need for the constructor or toLocalizedString method,
as I think you can just call getLocalizedString, ex:
LocalizedMessage localizedMsg = new LocalizedMessage
("alias.name.not.provided.pe.name.");
Object[] source = {pe.name};
throw new Exception(localizedMsg.toLocalizedString(source));
becomes:
throw new
Exception(LocalizedMessage.getLocalizedString("alias.name.not.provided.pe.name.",
source));
(saves creating an extra object).
- MessageFormatting.java
Minor nit: please use "java.security.policy==error.policy" instead of
"policy=error.policy" The java.security.policy is a newer jtreg option
that matches the syntax of the java.security.policy option. I'd like to
discourage use of the policy option going forward.
Thanks,
Sean
>
>
> On 1/11/2017 8:34 AM, Adam Petcher wrote:
>> Please review the following bug fix:
>>
>> http://cr.openjdk.java.net/~apetcher/8168075/webrev.00/
>>
>> This fixes a bug in which a permission check would try to load
>> resources while the system class loader is being initialized.
>> Resources cannot be loaded at this time, so this change ensures that
>> the resources are loaded earlier.
>>
>
More information about the security-dev
mailing list