Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8154009

Some methods of java.security.Security require more permissions, than necessary

    Details

      Backports

        Description

        If I use getProviders method from java.security.Security class with Security manager, I would have to specify following permissions:

        grant codeBase "file:${{java.ext.dirs}}/*" {
                permission java.lang.RuntimePermission "loadLibrary.*";
                permission java.io.FilePermission "<<ALL FILES>>", "read";
                permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
        };

        Same is applicable to addProvider method.
        That is, above mentioned permissions should be added to the SecurityPermission("insertProvider."+provider.getName()) mentioned in the specification.

        Those additional permissions are present in java.policy file stored inside JDK. But it looks rather strange to me that simple request to getProviders would work only if I explicitly allow to load full list of providers.

        This problem can be identified only if we switch-off usage of policy file declared in standard JDK. To do so, we need to call java like the following:
        <JDK_path>/bin/java -Djava.security.manager -Dpolicy==<policy_file>

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  akosarev Artem Kosarev (Inactive)
                  Reporter:
                  akosarev Artem Kosarev (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: