[prev in list] [next in list] [prev in thread] [next in thread]
List: openjdk-net-dev
Subject: Re: [ipv6] RFR: 8224256: test/jdk/java/security/SecureClassLoader/DefineClass.java
From: Arthur Eubanks <aeubanks () google ! com>
Date: 2019-05-23 2:36:26
Message-ID: CAPW48sr_n-GuHunAZVMAryjZ7XdV66PabBMWUNfe4i9_sMnvYQ () mail ! gmail ! com
[Download RAW message or body]
Looks like this test is now failing, I'll take a look tomorrow, sorry about
this.
On Wed, May 22, 2019, 12:48 PM Sean Mullan <sean.mullan@oracle.com> wrote:
> On 5/22/19 3:33 PM, Arthur Eubanks wrote:
> >
> >
> > On Wed, May 22, 2019 at 12:12 PM Sean Mullan <sean.mullan@oracle.com
> > <mailto:sean.mullan@oracle.com>> wrote:
> >
> > On 5/22/19 1:28 PM, Arthur Eubanks wrote:
> > > On Wed, May 22, 2019 at 7:13 AM Daniel Fuchs
> > <daniel.fuchs@oracle.com <mailto:daniel.fuchs@oracle.com>
> > > <mailto:daniel.fuchs@oracle.com
> > <mailto:daniel.fuchs@oracle.com>>> wrote:
> > >
> > > Hi Arthur,
> > >
> > > 18 // For IPSupport
> > > 19 grant {
> > > 20 permission java.net.SocketPermission "localhost:0",
> > > "listen,resolve";
> > > 21 permission java.util.PropertyPermission
> > > "java.net.preferIPv4Stack", "read";
> > > 22 };
> > >
> > > It might be better if these permissions were granted to the
> > > library only.
> > >
> > > Done.
> >
> > Have you tested that with jtreg? I believe it may not work because of
> > the way the SecurityManager is enabled inside the test (rather than
> > using the jtreg java.security.policy option). You may find that you
> > also
> > need to grant those permissions to jtreg.jar since it is higher in
> the
> > call stack. If that is the case, you are probably better off granting
> > the permissions to all code, or restructuring the test to use the
> jtreg
> > java.security.policy option, where jtreg installs its own
> > SecurityManager to grant itself the proper permissions. However, that
> > will require some code changes and granting some additional
> permissions
> > to the test that are needed (for adding a security provider, etc)
> > before
> > it currently enables a SM. And that is probably more than you want
> > to do
> > for this fix.
> >
> > --Sean
> >
> > Tried it directly with jtreg
> > $ ~/jtreg/build/images/jtreg/bin/jtreg -jdk:./images/jdk/
> > ../test/jdk/java/security/SecureClassLoader/DefineClass.java
> > and it passes. Verified that removing the newly added permissions makes
> > it fail again.
> > There was some discussion on IPSupport and SecurityManagers when
> > IPSupport was first introduced:
> > https://markmail.org/message/vvemfm367ja3qllj
>
> Ok, the fix looks good then to me.
>
> --Sean
>
[Attachment #3 (text/html)]
<div dir="auto">Looks like this test is now failing, I'll take a look tomorrow, \
sorry about this. </div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Wed, May 22, 2019, 12:48 PM Sean Mullan <<a \
href="mailto:sean.mullan@oracle.com" target="_blank" \
rel="noreferrer">sean.mullan@oracle.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">On 5/22/19 3:33 PM, Arthur Eubanks wrote:<br> > <br>
> <br>
> On Wed, May 22, 2019 at 12:12 PM Sean Mullan <<a \
href="mailto:sean.mullan@oracle.com" rel="noreferrer noreferrer" \
target="_blank">sean.mullan@oracle.com</a> <br> > <mailto:<a \
href="mailto:sean.mullan@oracle.com" rel="noreferrer noreferrer" \
target="_blank">sean.mullan@oracle.com</a>>> wrote:<br> > <br>
> On 5/22/19 1:28 PM, Arthur Eubanks wrote:<br>
> > On Wed, May 22, 2019 at 7:13 AM Daniel Fuchs<br>
> <<a href="mailto:daniel.fuchs@oracle.com" rel="noreferrer noreferrer" \
target="_blank">daniel.fuchs@oracle.com</a> <mailto:<a \
href="mailto:daniel.fuchs@oracle.com" rel="noreferrer noreferrer" \
target="_blank">daniel.fuchs@oracle.com</a>><br> > > <mailto:<a \
href="mailto:daniel.fuchs@oracle.com" rel="noreferrer noreferrer" \
target="_blank">daniel.fuchs@oracle.com</a><br> > <mailto:<a \
href="mailto:daniel.fuchs@oracle.com" rel="noreferrer noreferrer" \
target="_blank">daniel.fuchs@oracle.com</a>>>> wrote:<br> > \
><br> > > Hi Arthur,<br>
> ><br>
> > 18 // For IPSupport<br>
> > 19 grant {<br>
> > 20 permission java.net.SocketPermission \
"localhost:0",<br> > > "listen,resolve";<br>
> > 21 permission java.util.PropertyPermission<br>
> > "java.net.preferIPv4Stack", "read";<br>
> > 22 };<br>
> ><br>
> > It might be better if these permissions were granted to \
the<br> > > library only.<br>
> ><br>
> > Done.<br>
> <br>
> Have you tested that with jtreg? I believe it may not work because of<br>
> the way the SecurityManager is enabled inside the test (rather than<br>
> using the jtreg java.security.policy option). You may find that you<br>
> also<br>
> need to grant those permissions to jtreg.jar since it is higher in \
the<br> > call stack. If that is the case, you are probably better off \
granting<br> > the permissions to all code, or restructuring the test to \
use the jtreg<br> > java.security.policy option, where jtreg installs its \
own<br> > SecurityManager to grant itself the proper permissions. However, \
that<br> > will require some code changes and granting some additional \
permissions<br> > to the test that are needed (for adding a security \
provider, etc)<br> > before<br>
> it currently enables a SM. And that is probably more than you want<br>
> to do<br>
> for this fix.<br>
> <br>
> --Sean<br>
> <br>
> Tried it directly with jtreg<br>
> $ ~/jtreg/build/images/jtreg/bin/jtreg -jdk:./images/jdk/ <br>
> ../test/jdk/java/security/SecureClassLoader/DefineClass.java<br>
> and it passes. Verified that removing the newly added permissions makes <br>
> it fail again.<br>
> There was some discussion on IPSupport and SecurityManagers when <br>
> IPSupport was first introduced: <br>
> <a href="https://markmail.org/message/vvemfm367ja3qllj" rel="noreferrer \
noreferrer noreferrer" \
target="_blank">https://markmail.org/message/vvemfm367ja3qllj</a><br> <br>
Ok, the fix looks good then to me.<br>
<br>
--Sean<br>
</blockquote></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic