On 17/10/2016 13:16, Uwe Schindler wrote:
Hi,
yes I checked more already: The issue is caused by the mentioned change
(canonicalize of FilePermission). According to the docs of SecurityManager and
FilePermission, code should always be able to read stuff below the classpath
where the code was loaded from (in our case its part of a JAR file). So there
is no need to add permissions for this, it should work automatically.
So the following code must work without any extra permissions:
URL url = this.getClass().getResource("somefilenexttoclassfile");
InputStream is = url.openStream();
Interestingly the first line already returns "null", means "resource not
found", you don't get any SecurityException! As said before the code works without any
problems if I pass the special JDK property jdk.io.permissionsUseCanonicalPath=true to the code.
This is why I said that JDK-8164705 is causing the issue.
I will write a short reproducer and post it here. The code should work with
SecurityManager enabled and empty policy file, as the resource is covered by
the rule (everything below code source).
The getResourceXXX methods are specified to return null when denied by
the security manager so you can't distinguish it from not found. If you
can get trace output with -Djava.security.debug=failure,access then it
might help diagnose this.
It's probably best to follow-up on security-dev rather than jdk9-dev as
that is the mailing list where permission classes are maintained.
-Alan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
