[15] RFR: 8191395: policy.allowSystemProperty and policy.expandProperties also apply to JAAS configurations
Sean Mullan
sean.mullan at oracle.com
Thu Feb 6 21:40:53 UTC 2020
On 2/5/20 8:53 PM, Weijun Wang wrote:
> sun/security/provider/ConfigFile.java:
>
> private boolean expandProp = true;
>
> ...
>
> String expand = Security.getProperty("policy.expandProperties");
> if (expand == null) {
> expand = System.getProperty("policy.expandProperties");
> }
> if ("false".equals(expand)) {
> expandProp = false;
> }
>
> sun/security/provider/PolicyFile.java:
>
> expandProperties = "true".equalsIgnoreCase
> (Security.getProperty("policy.expandProperties")); -> default false
>
> So it looks like the default value for the property are different in these 2 places. Of course, it also happens that in java.security there is no "Comment out this line" for "policy.expandProperties". But this still feels uncomfortable.
Good point, we should document the default values. I think trying to
change them to be consistent at this point is not worth it, so I have
added some wording to the java.security file noting that the defaults
are different for policy and login files, and I also made some minor
changes to the wording in other places. I also updated ConfigFile to
state what the default value is. Let me know what you think.
webrev: http://cr.openjdk.java.net/~mullan/webrevs/8191395/webrev.02/
--Sean
More information about the security-dev
mailing list