[15] RFR: 8191395: policy.allowSystemProperty and policy.expandProperties also apply to JAAS configurations

Weijun Wang weijun.wang at oracle.com
Thu Feb 6 01:53:46 UTC 2020 

sun/security/provider/ConfigFile.java:

   private boolean expandProp = true;

   ...

   String expand = Security.getProperty("policy.expandProperties");
   if (expand == null) {
       expand = System.getProperty("policy.expandProperties");
   }
   if ("false".equals(expand)) {
       expandProp = false;
   }

sun/security/provider/PolicyFile.java:

   expandProperties = "true".equalsIgnoreCase
       (Security.getProperty("policy.expandProperties")); -> default false

So it looks like the default value for the property are different in these 2 places. Of course, it also happens that in java.security there is no "Comment out this line" for "policy.expandProperties". But this still feels uncomfortable.

Thanks,
Max

> On Feb 5, 2020, at 11:31 PM, Sean Mullan <sean.mullan at oracle.com> wrote:
> 
> I added a sentence about policy.expandProperties to the ConfigFile class description. In the java.security file, I also clarified that setting the policy.allowSystemProperty to false (in addition to commenting it out) would disable the feature.
> 
> New webrev at http://cr.openjdk.java.net/~mullan/webrevs/8191395/webrev.01/
> CSR: https://bugs.openjdk.java.net/browse/JDK-8238483
> 
> --Sean
> 
> On 1/31/20 10:42 AM, Sean Mullan wrote:
>> On 1/30/20 7:27 PM, Weijun Wang wrote:
>>> Looks fine. Does this require a CSR?
>> Hmm, I was on the fence about that. ConfigFile already mentions policy.allowSystemProperty in the class description [1], so I think in this case, we are just improving the documentation.
>> I can't find any JAAS reference to policy.expandProperties though. I suppose we should file one then since this would be the first time it is documented.
>> Let me draft up a CSR and reply back later.
>> --Sean
>> [1] https://download.java.net/java/early_access/jdk14/docs/api/jdk.security.auth/com/sun/security/auth/login/ConfigFile.html 
>>> 
>>> Thanks,
>>> Max
>>> 
>>>> On Jan 31, 2020, at 3:18 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>>> 
>>>> Please review this small change to the documentation of these two security properties.
>>>> 
>>>> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8191395/webrev.00/
>>>> bug: https://bugs.openjdk.java.net/browse/JDK-8191395
>>>> 
>>>> Thanks,
>>>> Sean
>>>

More information about the security-dev mailing list