Re: RFR: 8154009: Some methods of java.security.Security require more permissions, than necessary

Thu, 02 Jun 2016 11:55:32 -0700 

Looks good.

--Sean

On 06/01/2016 10:56 AM, Artem Kosarev wrote:

Hi Sean.

Thanks for suggestion.

New WebRev: http://cr.openjdk.java.net/~akosarev/8154009/webrev.01/

There are only 2 changes from original one:
1) *test/java/security/Security/EmptyPolicy.policy* was updated in the
way you proposed.
2) I removed 2 tests from *test/ProblemList.txt*, which were marked as
failed due to JDK-8154009 (current fix).

Best regards,
Artem Kosarev.

**
On 01.06.2016 17:03, Sean Mullan wrote:

I think it would be helpful to add a comment to EmptyPolicy.policy so
it contains something, ex:

// empty policy file for testing

Otherwise, looks fine.

--Sean

On 05/30/2016 09:03 AM, Artem Kosarev wrote:

Hello.

Could you please review the proposed fix issue which is NOT applicable
for JDK 9:

BUGURL: https://bugs.openjdk.java.net/browse/JDK-8154009
WEBREV: http://cr.openjdk.java.net/~akosarev/8154009/webrev.00/

PROBLEM:
**/AddProvider/, /RemoveProvider///& /GetProviders///methods
of*//**/java.security.Security/* class results in calling
/doLoadProvider /method of *ProviderConfig *class for each Security
Provider.
     And in this method we have a problem that it catches and processes
*Exception*, but doesn't process *ExceptionInInitializerError *which is
thrown in case of missing permissions:
             permission java.lang.RuntimePermission "loadLibrary.*";
             permission java.io.FilePermission "<<ALL FILES>>", "read";
             permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.*";
     Those permissions are unavailable if we switch-off
*jre/lib/security/java.policy* file by running program with option:
/-Djava.security.policy==<policy_file>/

FIX:
     In JDK9 *ProviderConfig *class is changed in the scope of
JDK-8043406 <https://bugs.openjdk.java.net/browse/JDK-8043406>
enhancement (that is why JDK-8154009 is not applicable for JDK 9).
     And in order to fix above problem in JDK 8 we just require to take
same changes for *ProviderConfig *class in JDK 9:
     See changeset from JDK 9:
http://hg.openjdk.java.net/jdk9/dev/jdk/diff/7f8294841146/src/share/classes/sun/security/jca/ProviderConfig.java


REGRESSION TESTS:
     2 existing tests (*AddProvider*, *RemoveStaticProvider*) were used
and modified so that they provide testing for fixed situation
(additional permissions are not required any longer for /AddProvider
/&**/RemoveProvider /methods.)
     1 new test was written for checking /GetProviders /method under
restricted permissions.

Changes were successfully tested by JPRT.

Best regards,
Artem Kosarev.

Reply via email to