The permissions from the current policy are included in the toString()
output of java.security.ProtectionDomain. However, as a test case
I added to Mauve (gnu.testlet.java.security.Policy.Security) shows
when run against OpenJDK, these permissions shouldn't be revealed
when the SecurityManager prohibts calls to getPolicy.
I've committed the attached patch fixes this issue so that the
permissions are excluded if the SecurityManager doesn't allow the
policy to be read.
2011-02-22 Andrew John Hughes <ahug...@redhat.com>
PR classpath/42390
* java/security/ProtectionDomain.java:
(toString()): Don't include permissions from
the policy if we don't have permission to read
it.
--
Andrew :)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Support Free Java!
Contribute to GNU Classpath and IcedTea
http://www.gnu.org/software/classpath
http://icedtea.classpath.org
PGP Key: F5862A37 (https://keys.indymedia.org/)
Fingerprint = EA30 D855 D50F 90CD F54D 0698 0713 C3ED F586 2A37
Index: java/security/ProtectionDomain.java
===================================================================
RCS file: /sources/classpath/classpath/java/security/ProtectionDomain.java,v
retrieving revision 1.18
diff -u -u -r1.18 ProtectionDomain.java
--- java/security/ProtectionDomain.java 25 Dec 2010 01:23:50 -0000 1.18
+++ java/security/ProtectionDomain.java 6 Mar 2011 17:17:58 -0000
@@ -255,7 +255,15 @@
sb.append(linesep);
if (!staticBinding) // include all but dont force loading
Policy.currentPolicy
if (Policy.isLoaded())
- sb.append(Policy.getCurrentPolicy().getPermissions(this));
+ try
+ {
+ sb.append(Policy.getPolicy().getPermissions(this));
+ }
+ catch (SecurityException e)
+ {
+ // We are not allowed access to the policy.
+ sb.append(perms);
+ }
else // fallback on this one's permissions
sb.append(perms);
else
