[15] RFR: 8191395: policy.allowSystemProperty and policy.expandProperties also apply to JAAS configurations

Weijun Wang weijun.wang at oracle.com
Fri Feb 7 13:09:44 UTC 2020


This is very complete.

Thanks,
Max

> On Feb 7, 2020, at 5:40 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
> 
> On 2/5/20 8:53 PM, Weijun Wang wrote:
>> sun/security/provider/ConfigFile.java:
>>    private boolean expandProp = true;
>>    ...
>>    String expand = Security.getProperty("policy.expandProperties");
>>    if (expand == null) {
>>        expand = System.getProperty("policy.expandProperties");
>>    }
>>    if ("false".equals(expand)) {
>>        expandProp = false;
>>    }
>> sun/security/provider/PolicyFile.java:
>>    expandProperties = "true".equalsIgnoreCase
>>        (Security.getProperty("policy.expandProperties")); -> default false
>> So it looks like the default value for the property are different in these 2 places. Of course, it also happens that in java.security there is no "Comment out this line" for "policy.expandProperties". But this still feels uncomfortable.
> 
> Good point, we should document the default values. I think trying to change them to be consistent at this point is not worth it, so I have added some wording to the java.security file noting that the defaults are different for policy and login files, and I also made some minor changes to the wording in other places. I also updated ConfigFile to state what the default value is. Let me know what you think.
> 
> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8191395/webrev.02/
> 
> --Sean



More information about the security-dev mailing list