Re: RFR: 8333344: JMX attaching of Subject does not work when security manager not allowed [v4]
On Wed, 12 Jun 2024 14:55:31 GMT, Daniel Fuchs wrote: >> Hmm I may have fixed that since changing the policy files, as I'm not seeing >> the problem without that AuthPermission any more. Am just retesting >> everything before updating this... > > (Same with other policy files in which the permission was added of course) Yes these no longer seem needed. I added them in response to failures in an earlier version of the change, thanks for spotting this, I've undone the policy changes. - PR Review Comment: https://git.openjdk.org/jdk/pull/19624#discussion_r1636753776
Re: RFR: 8333344: JMX attaching of Subject does not work when security manager not allowed [v4]
On Wed, 12 Jun 2024 14:44:56 GMT, Kevin Walls wrote: >> I think Daniel is right, can you remove this permission and paste in the >> debug output to see where this is happening? > > Hmm I may have fixed that since changing the policy files, as I'm not seeing > the problem without that AuthPermission any more. Am just retesting > everything before updating this... (Same with other policy files in which the permission was added of course) - PR Review Comment: https://git.openjdk.org/jdk/pull/19624#discussion_r1636634416
Re: RFR: 8333344: JMX attaching of Subject does not work when security manager not allowed [v4]
On Wed, 12 Jun 2024 14:31:26 GMT, Alan Bateman wrote: >> test/jdk/javax/management/remote/mandatory/notif/policy.negative line 7: >> >>> 5: permission javax.management.MBeanPermission >>> "[domain:type=NB,name=2]", "addNotificationListener"; >>> 6: permission javax.management.MBeanPermission "*", >>> "removeNotificationListener"; >>> 7: permission javax.security.auth.AuthPermission "doAs"; >> >> I suspect that this means a doPrivileged is missing somewhere. We should not >> require the application to posess new permissions. > > I think Daniel is right, can you remove this permission and paste in the > debug output to see where this is happening? Hmm I may have fixed that since changing the policy files, as I'm not seeing the problem without that AuthPermission any more. Am just retesting everything before updating this... - PR Review Comment: https://git.openjdk.org/jdk/pull/19624#discussion_r1636613493
Re: RFR: 8333344: JMX attaching of Subject does not work when security manager not allowed [v4]
On Wed, 12 Jun 2024 14:23:07 GMT, Daniel Fuchs wrote: >> Kevin Walls has updated the pull request incrementally with one additional >> commit since the last revision: >> >> udpates > > test/jdk/javax/management/remote/mandatory/notif/policy.negative line 7: > >> 5: permission javax.management.MBeanPermission >> "[domain:type=NB,name=2]", "addNotificationListener"; >> 6: permission javax.management.MBeanPermission "*", >> "removeNotificationListener"; >> 7: permission javax.security.auth.AuthPermission "doAs"; > > I suspect that this means a doPrivileged is missing somewhere. We should not > require the application to posess new permissions. I think Daniel is right, can you remove this permission and paste in the debug output to see where this is happening? - PR Review Comment: https://git.openjdk.org/jdk/pull/19624#discussion_r1636587055
Re: RFR: 8333344: JMX attaching of Subject does not work when security manager not allowed [v4]
On Wed, 12 Jun 2024 14:01:40 GMT, Kevin Walls wrote: >> JMX uses APIs related to the Security Mananger which are deprecated. Use of >> AccessControlContext will be removed when Security Manager is removed. >> >> Until then, updates are needed to not require setting >> -Djava.security.manager=allow to use JMX authentication. > > Kevin Walls has updated the pull request incrementally with one additional > commit since the last revision: > > udpates test/jdk/javax/management/remote/mandatory/notif/policy.negative line 7: > 5: permission javax.management.MBeanPermission "[domain:type=NB,name=2]", > "addNotificationListener"; > 6: permission javax.management.MBeanPermission "*", > "removeNotificationListener"; > 7: permission javax.security.auth.AuthPermission "doAs"; I suspect that this means a doPrivileged is missing somewhere. We should not require the application to posess new permissions. - PR Review Comment: https://git.openjdk.org/jdk/pull/19624#discussion_r1636573141
Re: RFR: 8333344: JMX attaching of Subject does not work when security manager not allowed [v4]
> JMX uses APIs related to the Security Mananger which are deprecated. Use of > AccessControlContext will be removed when Security Manager is removed. > > Until then, updates are needed to not require setting > -Djava.security.manager=allow to use JMX authentication. Kevin Walls has updated the pull request incrementally with one additional commit since the last revision: udpates - Changes: - all: https://git.openjdk.org/jdk/pull/19624/files - new: https://git.openjdk.org/jdk/pull/19624/files/56f9111e..422011e4 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=19624&range=03 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=19624&range=02-03 Stats: 35 lines in 2 files changed: 6 ins; 23 del; 6 mod Patch: https://git.openjdk.org/jdk/pull/19624.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/19624/head:pull/19624 PR: https://git.openjdk.org/jdk/pull/19624