RFR: JDK-8288475: Initializing RandomGeneratorFactory.FactoryMapHolder fails if a SecurityManager is installed
Jaikiran Pai
jpai at openjdk.org
Fri Jun 17 06:54:48 UTC 2022
On Thu, 16 Jun 2022 07:08:20 GMT, Johannes Kuhn <jkuhn at openjdk.org> wrote:
> * This adds additional permissions to the jdk.random module (`RuntimePermission "accessClassInPackage.jdk.internal.util.random"`)
> * The annotations of the provider classes are now parsed early.
> This avoids putting the parts that can trigger the parsing into an `AccessController.doPrivileged()` block.
> * If a `SecurityManager` is installed, `RandomGeneratorFactory.all()` will only return `RandomGenerator`s that are loaded by a system domain loader.
> This avoids parsing annotations of user classes from a privileged context.
src/java.base/share/classes/java/util/random/RandomGeneratorFactory.java line 165:
> 163: onlyBuiltIn = p -> VM.isSystemDomainLoader(p.type().getClassLoader());
> 164: } else {
> 165: onlyBuiltIn = p -> true;
Should this variable be renamed to something else? Because right now it does the opposite of it's name. i.e. When `onlyBuiltIn` is set to `true`, like here, the code a few lines below which filters the stream accepts all `RandomGeneratorFactory` implementations that have been found.
-------------
PR: https://git.openjdk.org/jdk/pull/9180
More information about the security-dev
mailing list