[15] RFR: 8191395: policy.allowSystemProperty and policy.expandProperties also apply to JAAS configurations
Weijun Wang
weijun.wang at oracle.com
Fri Feb 7 13:09:44 UTC 2020
This is very complete.
Thanks,
Max
> On Feb 7, 2020, at 5:40 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>
> On 2/5/20 8:53 PM, Weijun Wang wrote:
>> sun/security/provider/ConfigFile.java:
>> private boolean expandProp = true;
>> ...
>> String expand = Security.getProperty("policy.expandProperties");
>> if (expand == null) {
>> expand = System.getProperty("policy.expandProperties");
>> }
>> if ("false".equals(expand)) {
>> expandProp = false;
>> }
>> sun/security/provider/PolicyFile.java:
>> expandProperties = "true".equalsIgnoreCase
>> (Security.getProperty("policy.expandProperties")); -> default false
>> So it looks like the default value for the property are different in these 2 places. Of course, it also happens that in java.security there is no "Comment out this line" for "policy.expandProperties". But this still feels uncomfortable.
>
> Good point, we should document the default values. I think trying to change them to be consistent at this point is not worth it, so I have added some wording to the java.security file noting that the defaults are different for policy and login files, and I also made some minor changes to the wording in other places. I also updated ConfigFile to state what the default value is. Let me know what you think.
>
> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8191395/webrev.02/
>
> --Sean
More information about the security-dev
mailing list