Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8079140

IgnoreAllErrorHandler should use doPrivileged when it reads system properties

    XMLWordPrintable

    Details

      Backports

        Description

        If security manager is enabled, but "org.jcp.xml.dsig.secureValidation" property is off, the impl tries to read the following system properties:

            com.sun.org.apache.xml.internal.security.test.warn.on.exceptions
            com.sun.org.apache.xml.internal.security.test.throw.exceptions

        , and if appropriate property permissions are not granted, it fails with ExceptionInInitializerError

        java.lang.ExceptionInInitializerError
            at com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput.convertToNodes(XMLSignatureInput.java:568)
            ...
        Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "com.sun.org.apache.xml.internal.security.test.warn.on.exceptions" "read")
            at java.security.AccessControlContext.checkPermission(AccessControlContext.java:468)
            at java.security.AccessController.checkPermission(AccessController.java:894)
            at java.lang.SecurityManager.checkPermission(SecurityManager.java:541)
            at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
            at java.lang.System.getProperty(System.java:744)
            at com.sun.org.apache.xml.internal.security.utils.IgnoreAllErrorHandler.<clinit>(IgnoreAllErrorHandler.java:43)
            ... 19 more

        Please see http://hg.openjdk.java.net/jdk9/dev/jdk/file/97a1facbcaaa/src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/utils/IgnoreAllErrorHandler.java

        ...
            /** Field throwExceptions */
            private static final boolean warnOnExceptions =
                System.getProperty("com.sun.org.apache.xml.internal.security.test.warn.on.exceptions", "false").equals("true");

            /** Field throwExceptions */
            private static final boolean throwExceptions =
                System.getProperty("com.sun.org.apache.xml.internal.security.test.throw.exceptions", "false").equals("true");
        ...

        I think it is not really necessary to check access for these properties. IgnoreAllErrorHandler should read them inside doPrivileged() method.

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                asmotrak Artem Smotrakov
                Reporter:
                asmotrak Artem Smotrakov
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: