Re: [11u] RFR(S): 8223326: Regression introduced by CPU sync: java.security.AccessControlException: access denied ("java.net.NetPermission" "setSocketImpl")

2020-03-24 Thread Hohensee, Paul 
Thanks for the explanation of the process.

Paul

On 3/23/20, 11:28 PM, "Langer, Christoph"  wrote:

Hi Paul,

as Martin said, the original bug could not be opened by Oracle. I, however 
changed the bug created by Martin to a Backport item. Doing it that way would 
allow a "standard" backport of such type of issues while the original item that 
was pushed to head can remain invisible. We proceeded like that with other bugs 
already and it proved to work nicely.

Best regards
Christoph

> -Original Message-
> From: core-libs-dev  On Behalf
> Of Hohensee, Paul
> Sent: Montag, 23. März 2020 19:29
> To: Doerr, Martin ; core-libs-
> d...@openjdk.java.net; jdk-updates-...@openjdk.java.net
    > Subject: RE: [11u] RFR(S): 8223326: Regression introduced by CPU sync:
    > java.security.AccessControlException: access denied
    > ("java.net.NetPermission" "setSocketImpl")
>
> The changeset references JDK-8223326, which is private. If possible, ask
> Oracle to make it public so we can do a normal backport rather than file 
an
> 11u-specific issue. The backport itself looks fine.
>
> Thanks,
> Paul
>
> On 3/23/20, 11:08 AM, "jdk-updates-dev on behalf of Doerr, Martin"  updates-dev-boun...@openjdk.java.net on behalf of
> martin.do...@sap.com> wrote:
>
>
> Hi,
>
> I'd like to backport JDK-8223326 from jdk/jdk.
>
> 11u backport issue:
> https://bugs.openjdk.java.net/browse/JDK-8241460
>
> Original change:
> https://hg.openjdk.java.net/jdk/jdk/rev/29624901d8bc
>
> 11u backport webrev:
>
> http://cr.openjdk.java.net/~mdoerr/8223326_nio_socket_11u/webrev.00/
>
> I had to integrate the change manually due to context changes. 
However,
> the new code fits to the 11u versions.
>
> Please review.
>
> Best regards,
> Martin
>
>

RE: [11u] RFR(S): 8223326: Regression introduced by CPU sync: java.security.AccessControlException: access denied ("java.net.NetPermission" "setSocketImpl")

2020-03-24 Thread Langer, Christoph 
> > By spec part you mean the "@throws SecurityException" sections? Do you
> think those should not have been part of the 11u/13u change? Should these
> be even rolled back?
> >
> The spec changes to NetPermission and the protected Socket constructor
> should not be in the update releases. If a security fix involves a spec
> clarification then a good starting assumption is that the scope of the
> change for the update releases, if applicable, will be bit different.

Ok, makes sense. I wasn't involved in the security fix and its backport, 
though. But I assume should now leave the fix for JDK-8218573: "Better socket 
support" (http://hg.openjdk.java.net/jdk-updates/jdk11u-dev/rev/c7602effc480) 
alone now?

/Christoph

RE: [11u] RFR(S): 8223326: Regression introduced by CPU sync: java.security.AccessControlException: access denied ("java.net.NetPermission" "setSocketImpl")

2020-03-24 Thread Doerr, Martin 
Thanks a lot for looking into this, Alan, Chris and Christoph!

We had also looked at 
"8217997: Better socket support": 
https://hg.openjdk.java.net/jdk/jdk/rev/94710bb2a5bb
which was backported as
"8218573: Better socket support": 
http://hg.openjdk.java.net/jdk-updates/jdk11u-dev/rev/c7602effc480
with the spec update.
It's not so easy to understand which changes need to get backportet and we 
should make sure we don't miss anything really important.

Thanks for shedding more light into the history.

I've closed it as "Not an Issue".

Best regards,
Martin


> -Original Message-
> From: Alan Bateman 
> Sent: Dienstag, 24. März 2020 10:53
> To: Langer, Christoph ; Doerr, Martin
> ; core-libs-dev@openjdk.java.net; jdk-updates-
> d...@openjdk.java.net
> Subject: Re: [11u] RFR(S): 8223326: Regression introduced by CPU sync:
> java.security.AccessControlException: access denied
> ("java.net.NetPermission" "setSocketImpl")
> 
> On 24/03/2020 08:19, Langer, Christoph wrote:
> >
> > Ah, I see... JDK-8218573 is JDK11u/JDK13u specific. Looks like it was 
> > derived
> from JDK-8217997 in jdk/jdk but pushed as a different bug. jdk/jdk was the
> only place where I was looking for JDK-8218573, so I couldn't find it.
> I don't have time to dig into this tangled web but it does appear that a
> backport issue was used instead of the main issue in at least one case.
> That might be part of the confusion with the JBS issues. It also appears
> that JDK-8223326 has been backported to several releases where it is not
> applicable.
> 
> >
> > By spec part you mean the "@throws SecurityException" sections? Do you
> think those should not have been part of the 11u/13u change? Should these
> be even rolled back?
> >
> The spec changes to NetPermission and the protected Socket constructor
> should not be in the update releases. If a security fix involves a spec
> clarification then a good starting assumption is that the scope of the
> change for the update releases, if applicable, will be bit different.
> 
> -Alan.

Re: [11u] RFR(S): 8223326: Regression introduced by CPU sync: java.security.AccessControlException: access denied ("java.net.NetPermission" "setSocketImpl")

2020-03-24 Thread Alan Bateman 

On 24/03/2020 08:19, Langer, Christoph wrote:


Ah, I see... JDK-8218573 is JDK11u/JDK13u specific. Looks like it was derived 
from JDK-8217997 in jdk/jdk but pushed as a different bug. jdk/jdk was the only 
place where I was looking for JDK-8218573, so I couldn't find it.
I don't have time to dig into this tangled web but it does appear that a 
backport issue was used instead of the main issue in at least one case. 
That might be part of the confusion with the JBS issues. It also appears 
that JDK-8223326 has been backported to several releases where it is not 
applicable.




By spec part you mean the "@throws SecurityException" sections? Do you think 
those should not have been part of the 11u/13u change? Should these be even rolled back?

The spec changes to NetPermission and the protected Socket constructor 
should not be in the update releases. If a security fix involves a spec 
clarification then a good starting assumption is that the scope of the 
change for the update releases, if applicable, will be bit different.


-Alan.

RE: [11u] RFR(S): 8223326: Regression introduced by CPU sync: java.security.AccessControlException: access denied ("java.net.NetPermission" "setSocketImpl")

2020-03-24 Thread Langer, Christoph 
> >> One other thing on this. It looks like the spec changes that were part
> >> of JDK-8218573 have been backported to jdk-updates/jdk11u-dev by
> >> mistake. Is that part of the issue that you are trying to fix?
> > I can't find/access JDK-8218573 and I also struggle to find a changelist 
> > that
> would resolve it (should it be a private bug). Did you misspell the number?
> Please help me.
> >
> JDK-8218573 was a security fix (restricted in JBS). The spec update for
> Java SE 13+ that was part of that change have found their way into the
> jdk11u-dev repo, the change for JDK 12 and older should have not
> included the spec change.
> 
> https://hg.openjdk.java.net/jdk-updates/jdk11u-dev/rev/c7602effc480

Ah, I see... JDK-8218573 is JDK11u/JDK13u specific. Looks like it was derived 
from JDK-8217997 in jdk/jdk but pushed as a different bug. jdk/jdk was the only 
place where I was looking for JDK-8218573, so I couldn't find it.

By spec part you mean the "@throws SecurityException" sections? Do you think 
those should not have been part of the 11u/13u change? Should these be even 
rolled back?

Thanks
Christoph

Re: [11u] RFR(S): 8223326: Regression introduced by CPU sync: java.security.AccessControlException: access denied ("java.net.NetPermission" "setSocketImpl")

2020-03-24 Thread Alan Bateman 

On 24/03/2020 07:33, Alan Bateman wrote:


The spec update for Java SE 13+ that was part of that change have 
found their way into the jdk11u-dev repo,
Sorry, I mean Java SE 14. It seems the spec change was accidentally 
pushed to 13.0.1 too.


-Alan

Re: [11u] RFR(S): 8223326: Regression introduced by CPU sync: java.security.AccessControlException: access denied ("java.net.NetPermission" "setSocketImpl")

2020-03-24 Thread Alan Bateman 




On 24/03/2020 06:42, Langer, Christoph wrote:

Hi Alan,


On 23/03/2020 18:07, Doerr, Martin wrote:

Hi,

I'd like to backport JDK-8223326 from jdk/jdk.


One other thing on this. It looks like the spec changes that were part
of JDK-8218573 have been backported to jdk-updates/jdk11u-dev by
mistake. Is that part of the issue that you are trying to fix?

I can't find/access JDK-8218573 and I also struggle to find a changelist that 
would resolve it (should it be a private bug). Did you misspell the number? 
Please help me.

JDK-8218573 was a security fix (restricted in JBS). The spec update for 
Java SE 13+ that was part of that change have found their way into the 
jdk11u-dev repo, the change for JDK 12 and older should have not 
included the spec change.


https://hg.openjdk.java.net/jdk-updates/jdk11u-dev/rev/c7602effc480

-Alan.

RE: [11u] RFR(S): 8223326: Regression introduced by CPU sync: java.security.AccessControlException: access denied ("java.net.NetPermission" "setSocketImpl")

2020-03-23 Thread Langer, Christoph 
Hi Alan,

> On 23/03/2020 18:07, Doerr, Martin wrote:
> > Hi,
> >
> > I'd like to backport JDK-8223326 from jdk/jdk.
> >
> One other thing on this. It looks like the spec changes that were part
> of JDK-8218573 have been backported to jdk-updates/jdk11u-dev by
> mistake. Is that part of the issue that you are trying to fix?

I can't find/access JDK-8218573 and I also struggle to find a changelist that 
would resolve it (should it be a private bug). Did you misspell the number? 
Please help me.

Thanks
Christoph

RE: [11u] RFR(S): 8223326: Regression introduced by CPU sync: java.security.AccessControlException: access denied ("java.net.NetPermission" "setSocketImpl")

2020-03-23 Thread Langer, Christoph 
Hi Alan,

> -Original Message-
> From: jdk-updates-dev  On
> Behalf Of Alan Bateman
> Sent: Montag, 23. März 2020 20:19
> To: Doerr, Martin ; core-libs-
> d...@openjdk.java.net; jdk-updates-...@openjdk.java.net
> Subject: Re: [11u] RFR(S): 8223326: Regression introduced by CPU sync:
> java.security.AccessControlException: access denied
> ("java.net.NetPermission" "setSocketImpl")
> 
> On 23/03/2020 18:07, Doerr, Martin wrote:
> > Hi,
> >
> > I'd like to backport JDK-8223326 from jdk/jdk.
> >
> > 11u backport issue:
> > https://bugs.openjdk.java.net/browse/JDK-8241460
> >
> > Original change:
> > https://hg.openjdk.java.net/jdk/jdk/rev/29624901d8bc
> >
> > 11u backport webrev:
> > http://cr.openjdk.java.net/~mdoerr/8223326_nio_socket_11u/webrev.00/
> >
> > I had to integrate the change manually due to context changes. However,
> the new code fits to the 11u versions.
> >
> > Please review.
> >
> Socket(SocketImpl) is only specified to do a permission check when the
> impl is non-null. The socket adaptor in JDK 12 and older releases
> doesn't have a dummy impl so the change should not be needed. If there
> is a security exception thrownhere then it suggests something may be
> broken elsewhere, do you have a stack trace?

I think you are completely right, that change is not required for 11u as it 
stands.

ServerSocketAdaptor::create in 11u would never enter a path that does a 
permission check and for SocketAdaptor:create the Socket constructor is called 
with a null impl, so checkPermission(null) will immediately return null.

We also don't have an indication that something is broken. My team is just 
doing an exercise to go through private JBS bugs that have been resolved in 
jdk/jdk after JDK11 was released and tries to asses which ones should/need to 
go into OpenJDK 11 updates, too. That's because we wouldn't see when Oracle 
would backport such bugs for their Oracle 11 Updates and we fear we'd miss 
something important otherwise.

But I suggest to withdraw this backport of JDK-8223326 and set JDK-8241460 to 
"Won't Fix".

Best regards
Christoph

RE: [11u] RFR(S): 8223326: Regression introduced by CPU sync: java.security.AccessControlException: access denied ("java.net.NetPermission" "setSocketImpl")

2020-03-23 Thread Langer, Christoph 
Hi Paul,

as Martin said, the original bug could not be opened by Oracle. I, however 
changed the bug created by Martin to a Backport item. Doing it that way would 
allow a "standard" backport of such type of issues while the original item that 
was pushed to head can remain invisible. We proceeded like that with other bugs 
already and it proved to work nicely.

Best regards
Christoph

> -Original Message-
> From: core-libs-dev  On Behalf
> Of Hohensee, Paul
> Sent: Montag, 23. März 2020 19:29
> To: Doerr, Martin ; core-libs-
> d...@openjdk.java.net; jdk-updates-...@openjdk.java.net
> Subject: RE: [11u] RFR(S): 8223326: Regression introduced by CPU sync:
> java.security.AccessControlException: access denied
> ("java.net.NetPermission" "setSocketImpl")
> 
> The changeset references JDK-8223326, which is private. If possible, ask
> Oracle to make it public so we can do a normal backport rather than file an
> 11u-specific issue. The backport itself looks fine.
> 
> Thanks,
> Paul
> 
> On 3/23/20, 11:08 AM, "jdk-updates-dev on behalf of Doerr, Martin"  updates-dev-boun...@openjdk.java.net on behalf of
> martin.do...@sap.com> wrote:
> 
> 
> Hi,
> 
> I'd like to backport JDK-8223326 from jdk/jdk.
> 
> 11u backport issue:
> https://bugs.openjdk.java.net/browse/JDK-8241460
> 
> Original change:
> https://hg.openjdk.java.net/jdk/jdk/rev/29624901d8bc
> 
> 11u backport webrev:
> 
> http://cr.openjdk.java.net/~mdoerr/8223326_nio_socket_11u/webrev.00/
> 
> I had to integrate the change manually due to context changes. However,
> the new code fits to the 11u versions.
> 
> Please review.
> 
> Best regards,
> Martin
> 
>

Re: [11u] RFR(S): 8223326: Regression introduced by CPU sync: java.security.AccessControlException: access denied ("java.net.NetPermission" "setSocketImpl")

2020-03-23 Thread Alan Bateman 




On 23/03/2020 19:39, Chris Hegarty wrote:


On 23 Mar 2020, at 19:18, Alan Bateman > wrote:



...

Socket(SocketImpl) is only specified to do a permission check when 
the impl is non-null. The socket adaptor in JDK 12 and older releases 
doesn't have a dummy impl so the change should not be needed. If 
there is a security exception thrownhere then it suggests something 
may be broken elsewhere, do you have a stack trace?


I suspect that only the ServerSocketAdapter part of the change is 
needed, since ServerSocket(SocketImpl) does a security check 
regardless of the value of the given SocketImpl.


The old ServerSocketAdapter implementation pre-dates that protected 
constructor. I don't have cycles to dig into what is going on in the 
update releases but if there is a security exception bring thrown in 
either case then it suggests that something is broken elsewhere.


-Alan

Re: [11u] RFR(S): 8223326: Regression introduced by CPU sync: java.security.AccessControlException: access denied ("java.net.NetPermission" "setSocketImpl")

2020-03-23 Thread Alan Bateman 




On 23/03/2020 18:07, Doerr, Martin wrote:

Hi,

I'd like to backport JDK-8223326 from jdk/jdk.

One other thing on this. It looks like the spec changes that were part 
of JDK-8218573 have been backported to jdk-updates/jdk11u-dev by 
mistake. Is that part of the issue that you are trying to fix?


-Alan

Re: [11u] RFR(S): 8223326: Regression introduced by CPU sync: java.security.AccessControlException: access denied ("java.net.NetPermission" "setSocketImpl")

2020-03-23 Thread Chris Hegarty 


> On 23 Mar 2020, at 19:18, Alan Bateman  wrote:
> 
>> ...
>> 
> Socket(SocketImpl) is only specified to do a permission check when the impl 
> is non-null. The socket adaptor in JDK 12 and older releases doesn't have a 
> dummy impl so the change should not be needed. If there is a security 
> exception thrownhere then it suggests something may be broken elsewhere, do 
> you have a stack trace?

I suspect that only the ServerSocketAdapter part of the change is needed, since 
ServerSocket(SocketImpl) does a security check regardless of the value of the 
given SocketImpl.

-Chris.

Re: [11u] RFR(S): 8223326: Regression introduced by CPU sync: java.security.AccessControlException: access denied ("java.net.NetPermission" "setSocketImpl")

2020-03-23 Thread Alan Bateman 

On 23/03/2020 18:07, Doerr, Martin wrote:

Hi,

I'd like to backport JDK-8223326 from jdk/jdk.

11u backport issue:
https://bugs.openjdk.java.net/browse/JDK-8241460

Original change:
https://hg.openjdk.java.net/jdk/jdk/rev/29624901d8bc

11u backport webrev:
http://cr.openjdk.java.net/~mdoerr/8223326_nio_socket_11u/webrev.00/

I had to integrate the change manually due to context changes. However, the new 
code fits to the 11u versions.

Please review.

Socket(SocketImpl) is only specified to do a permission check when the 
impl is non-null. The socket adaptor in JDK 12 and older releases 
doesn't have a dummy impl so the change should not be needed. If there 
is a security exception thrownhere then it suggests something may be 
broken elsewhere, do you have a stack trace?


-Alan

RE: [11u] RFR(S): 8223326: Regression introduced by CPU sync: java.security.AccessControlException: access denied ("java.net.NetPermission" "setSocketImpl")

2020-03-23 Thread Doerr, Martin 
Hi Paul,

thanks for the review.

We had already asked, but this one can't get opened up. I would have preferred 
a normal backport, too.

Best regards,
Martin


> -Original Message-
> From: Hohensee, Paul 
> Sent: Montag, 23. März 2020 19:29
> To: Doerr, Martin ; core-libs-
> d...@openjdk.java.net; jdk-updates-...@openjdk.java.net
> Subject: RE: [11u] RFR(S): 8223326: Regression introduced by CPU sync:
> java.security.AccessControlException: access denied
> ("java.net.NetPermission" "setSocketImpl")
> 
> The changeset references JDK-8223326, which is private. If possible, ask
> Oracle to make it public so we can do a normal backport rather than file an
> 11u-specific issue. The backport itself looks fine.
> 
> Thanks,
> Paul
> 
> On 3/23/20, 11:08 AM, "jdk-updates-dev on behalf of Doerr, Martin"  updates-dev-boun...@openjdk.java.net on behalf of
> martin.do...@sap.com> wrote:
> 
> 
> Hi,
> 
> I'd like to backport JDK-8223326 from jdk/jdk.
> 
> 11u backport issue:
> https://bugs.openjdk.java.net/browse/JDK-8241460
> 
> Original change:
> https://hg.openjdk.java.net/jdk/jdk/rev/29624901d8bc
> 
> 11u backport webrev:
> 
> http://cr.openjdk.java.net/~mdoerr/8223326_nio_socket_11u/webrev.00/
> 
> I had to integrate the change manually due to context changes. However,
> the new code fits to the 11u versions.
> 
> Please review.
> 
> Best regards,
> Martin
> 
>

RE: [11u] RFR(S): 8223326: Regression introduced by CPU sync: java.security.AccessControlException: access denied ("java.net.NetPermission" "setSocketImpl")

2020-03-23 Thread Hohensee, Paul 
The changeset references JDK-8223326, which is private. If possible, ask Oracle 
to make it public so we can do a normal backport rather than file an 
11u-specific issue. The backport itself looks fine.

Thanks,
Paul

On 3/23/20, 11:08 AM, "jdk-updates-dev on behalf of Doerr, Martin" 
 
wrote:


Hi,

I'd like to backport JDK-8223326 from jdk/jdk.

11u backport issue:
https://bugs.openjdk.java.net/browse/JDK-8241460

Original change:
https://hg.openjdk.java.net/jdk/jdk/rev/29624901d8bc

11u backport webrev:
http://cr.openjdk.java.net/~mdoerr/8223326_nio_socket_11u/webrev.00/

I had to integrate the change manually due to context changes. However, the 
new code fits to the 11u versions.

Please review.

Best regards,
Martin