Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8079140

IgnoreAllErrorHandler should use doPrivileged when it reads system properties

    XMLWordPrintable

    Details

      Backports

        Description

        If security manager is enabled, but "org.jcp.xml.dsig.secureValidation" property is off, the impl tries to read the following system properties:

            com.sun.org.apache.xml.internal.security.test.warn.on.exceptions
            com.sun.org.apache.xml.internal.security.test.throw.exceptions

        , and if appropriate property permissions are not granted, it fails with ExceptionInInitializerError

        java.lang.ExceptionInInitializerError
            at com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput.convertToNodes(XMLSignatureInput.java:568)
            ...
        Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "com.sun.org.apache.xml.internal.security.test.warn.on.exceptions" "read")
            at java.security.AccessControlContext.checkPermission(AccessControlContext.java:468)
            at java.security.AccessController.checkPermission(AccessController.java:894)
            at java.lang.SecurityManager.checkPermission(SecurityManager.java:541)
            at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
            at java.lang.System.getProperty(System.java:744)
            at com.sun.org.apache.xml.internal.security.utils.IgnoreAllErrorHandler.<clinit>(IgnoreAllErrorHandler.java:43)
            ... 19 more

        Please see http://hg.openjdk.java.net/jdk9/dev/jdk/file/97a1facbcaaa/src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/utils/IgnoreAllErrorHandler.java

        ...
            /** Field throwExceptions */
            private static final boolean warnOnExceptions =
                System.getProperty("com.sun.org.apache.xml.internal.security.test.warn.on.exceptions", "false").equals("true");

            /** Field throwExceptions */
            private static final boolean throwExceptions =
                System.getProperty("com.sun.org.apache.xml.internal.security.test.throw.exceptions", "false").equals("true");
        ...

        I think it is not really necessary to check access for these properties. IgnoreAllErrorHandler should read them inside doPrivileged() method.

          Attachments

            Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8084939 IgnoreAllErrorHandler should use doPrivileged when it reads system properties

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8239147 IgnoreAllErrorHandler should use doPrivileged when it reads system properties

            • P3 - Major loss of function.
            • Resolved
            relates to

            Bug - A problem which impairs or prevents the functions of the product. JDK-8137174 NTLM impl should use doPrivileged when it reads system properties

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Closed

              Activity

                People

                Assignee:
                asmotrak Artem Smotrakov
                Reporter:
                asmotrak Artem Smotrakov
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: