RFR: 8229773: Resolve permissions for code source URLs lazily
Peter Firmstone
peter.firmstone at zeus.net.au
Sat Sep 14 20:21:13 UTC 2019
Hi Alan,
We've got a bunch of very old policy files in our test suite, so they
still had policy grants using the extension directory property. The
grant for the extension directory property was followed by a forward
slash and asterix. Oddly when the property was missing the grant became
a wildcard URL. Note this isn't the sun PolicyFile implementation, but
our policy provider also augments, rather than replace, maybe there's a
new policy file our provider isn't aware of?
From memory there was something special about the way the extension
directory property was treated by the policy provider, but I don't
recall the details, the same problems don't appear to exist when other
properties in policy files cannot be resolved.
Modules that required permissions, seem to be service providers:
grant codebase "jrt:/jdk.security.auth" {
permission java.security.AllPermission "", "";
};
grant codebase "jrt:/jdk.crypto.cryptoki" {
permission java.security.AllPermission "", "";
};
grant codebase "jrt:/java.smartcardio" {
permission java.security.AllPermission "", "";
};
grant codebase "jrt:/java.xml.crypto" {
permission java.security.AllPermission "", "";
};
grant codebase "jrt:/java.security.jgss" {
permission java.security.AllPermission "", "";
};
grant codebase "jrt:/jdk.crypto.ec" {
permission java.security.AllPermission "", "";
};
grant codebase "jrt:/jdk.crypto.mscapi" {
permission java.security.AllPermission "", "";
};
grant codebase "jrt:/jdk.localedata" {
permission java.security.AllPermission "", "";
};
grant codebase "jrt:/jdk.security.jgss" {
permission java.security.AllPermission "", "";
};
Regards,
Peter.
On 14/09/2019 5:22 PM, Alan Bateman wrote:
> On 13/09/2019 23:07, Peter Firmstone wrote:
>> :
>>
>> One change I noticed is permissions granted to the java extension
>> directory are now granted to every domain in our policy provider as
>> the java.ext.dirs property is now blank, I also had to grant
>> permissions to a number of jdk modules, after fixing these, everthing
>> running as expected, except for a few minor test failures.
> The extension mechanism was deprecated in one of the maintenance
> releases of the JSR for Java SE 8 so hopefully not a surprise that the
> system property java.ext.dirs is no longer set. Since JDK 9, the VM
> will will not start if this system property is set on the command line
> and there is also a XX option in JDK 8 to help find usages of this
> mechanism. So I think I'm surprised that permissions are being granted
> when the property isn't set.
>
> Also surprised to hear that you need to grant permissions to the
> java.* or jdk.* modules. Are you saying that that the permissions
> granted in the default JDK policy file are incomplete or that there
> are code is missing a call to doPrivileged somewhere? Part of the
> reason for asking is that the both "-Djava.security.policy=" and
> "-Djava.security.policy==" will augment rather than override the
> default permissions. Maybe you are doing something that doesn't use
> this mechanism and you are always overriding the permissions granted
> to the modules in the run-time image?
>
> -Alan
>
More information about the security-dev
mailing list