Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8079140

IgnoreAllErrorHandler should use doPrivileged when it reads system properties

    Details

      Backports

        Description

        If security manager is enabled, but "org.jcp.xml.dsig.secureValidation" property is off, the impl tries to read the following system properties:

            com.sun.org.apache.xml.internal.security.test.warn.on.exceptions
            com.sun.org.apache.xml.internal.security.test.throw.exceptions

        , and if appropriate property permissions are not granted, it fails with ExceptionInInitializerError

        java.lang.ExceptionInInitializerError
            at com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput.convertToNodes(XMLSignatureInput.java:568)
            ...
        Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "com.sun.org.apache.xml.internal.security.test.warn.on.exceptions" "read")
            at java.security.AccessControlContext.checkPermission(AccessControlContext.java:468)
            at java.security.AccessController.checkPermission(AccessController.java:894)
            at java.lang.SecurityManager.checkPermission(SecurityManager.java:541)
            at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
            at java.lang.System.getProperty(System.java:744)
            at com.sun.org.apache.xml.internal.security.utils.IgnoreAllErrorHandler.<clinit>(IgnoreAllErrorHandler.java:43)
            ... 19 more

        Please see http://hg.openjdk.java.net/jdk9/dev/jdk/file/97a1facbcaaa/src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/utils/IgnoreAllErrorHandler.java

        ...
            /** Field throwExceptions */
            private static final boolean warnOnExceptions =
                System.getProperty("com.sun.org.apache.xml.internal.security.test.warn.on.exceptions", "false").equals("true");

            /** Field throwExceptions */
            private static final boolean throwExceptions =
                System.getProperty("com.sun.org.apache.xml.internal.security.test.throw.exceptions", "false").equals("true");
        ...

        I think it is not really necessary to check access for these properties. IgnoreAllErrorHandler should read them inside doPrivileged() method.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  asmotrak Artem Smotrakov
                  Reporter:
                  asmotrak Artem Smotrakov
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: