RFR: 8229773: Resolve permissions for code source URLs lazily

Peter Firmstone peter.firmstone at zeus.net.au
Mon Sep 16 21:15:26 UTC 2019


Hi Alan,

Your suspicion is correct. :)

Thanks for the leads, I'll look into it further.

Currently the policy implementation finds policy url's in system 
properties, "java.security.policy" and numbered policy locations with 
the prefix "policy.url." if the "java.security.policy" property doesn't 
begin with "=" (which represents java.security.policy==).

Cheers,

Peter.

On 15/09/2019 10:58 PM, Alan Bateman wrote:
> On 14/09/2019 21:21, Peter Firmstone wrote:
>> Hi Alan,
>>
>> We've got a bunch of very old policy files in our test suite, so they 
>> still had policy grants using the extension directory property.  The 
>> grant for the extension directory property was followed by a forward 
>> slash and asterix.  Oddly when the property was missing the grant 
>> became a wildcard URL.  Note this isn't the sun PolicyFile 
>> implementation, but our policy provider also augments, rather than 
>> replace, maybe there's a new policy file our provider isn't aware of?
>>
>> From memory there was something special about the way the extension 
>> directory property was treated by the policy provider, but I don't 
>> recall the details, the same problems don't appear to exist when 
>> other properties in policy files cannot be resolved.
>>
>>
>> Modules that required permissions, seem to be service providers:
> In jdk/jdk repo, the following policy files are merged in the build to 
> create the default policy:
>
> src/java.base/windows/lib/security/default.policy
> src/java.base/solaris/lib/security/default.policy
> src/java.base/share/lib/security/default.policy
>
> The default policy goes into a JDK internal location in the run-time 
> image and used by the PolicyFile implementation. If you look in there 
> you should see the permissions that are granted to the modules that 
> map to the platform class loader. The intention is that deployments 
> that are setting their own policy files don't need to be concerned 
> about the permissions of modules in the run-time image. I suspect you 
> are looking for a custom PolicyFile implementation to make use of 
> these defaults to avoid needing to be concerned with the specific 
> permissions that the modules in the run-time image.
>
> -Alan



More information about the security-dev mailing list