[15] RFR: 8191395: policy.allowSystemProperty and policy.expandProperties also apply to JAAS configurations

Sean Mullan sean.mullan at oracle.com
Thu Feb 6 21:40:53 UTC 2020


On 2/5/20 8:53 PM, Weijun Wang wrote:
> sun/security/provider/ConfigFile.java:
> 
>     private boolean expandProp = true;
> 
>     ...
> 
>     String expand = Security.getProperty("policy.expandProperties");
>     if (expand == null) {
>         expand = System.getProperty("policy.expandProperties");
>     }
>     if ("false".equals(expand)) {
>         expandProp = false;
>     }
> 
> sun/security/provider/PolicyFile.java:
> 
>     expandProperties = "true".equalsIgnoreCase
>         (Security.getProperty("policy.expandProperties")); -> default false
> 
> So it looks like the default value for the property are different in these 2 places. Of course, it also happens that in java.security there is no "Comment out this line" for "policy.expandProperties". But this still feels uncomfortable.

Good point, we should document the default values. I think trying to 
change them to be consistent at this point is not worth it, so I have 
added some wording to the java.security file noting that the defaults 
are different for policy and login files, and I also made some minor 
changes to the wording in other places. I also updated ConfigFile to 
state what the default value is. Let me know what you think.

webrev: http://cr.openjdk.java.net/~mullan/webrevs/8191395/webrev.02/

--Sean




More information about the security-dev mailing list