On 5/9/16 11:44 PM, Wang Weijun wrote:
I have a question related. There are some places in JDK that use doPrivileged to read "os.name" etc. This system property is in the default java.policy fileOn May 2, 2016, at 10:15 PM, Sean Mullan <sean.mul...@oracle.com> wrote: This is not an issue in your changes, but the current javadoc for Version.current() says: 266 * @throws SecurityException 267 * If a security manager exists and its {@link 268 * SecurityManager#checkPropertyAccess(String) 269 * checkPropertyAccess} method does not allow access to the 270 * system property "java.version" but this can never occur since the code is wrapping the call to System.getProperty("java.version") in doPrivileged, so the caller's permissions are never checked. I think that this is a bug in the javadoc of this method and that it should not be specified to throw SecurityException. All code already has permission to read "java.version" in the default java.policy file.Can you clarify? If a system property is listed in the default java.policy file, shall we use or not use doPrivileged() to read it inside JDK? I thought the answer is yes because the policy file could be modified.
Yes, you should use doPrivileged in that case, since the policy can be modified so you don't necessarily know that the caller has permission to read that property. System.getProperty will still perform a security check.
--Sean
