Please take a review at

    cr.openjdk.java.net/~weijun/8168410/webrev.00

JDK-8164705 introduced a compatibility layer to make sure that when FilePermission on "/pwd/x" is granted you can still read "x". The compatibility layer has 2 parts:

1. Inside our own default policy provider.

2. Inside ProtectionDomain.

Multiple JCK tests fail because of #2. After some discussion, we decide to only enable #2 when a new system property jdk.security.filePermCompat is set.

This means if user is using a customized policy implementation, the compatibility layer will not work, and granting a FilePermission on "x" will not allow the code reading "/pwd/x" when a security manager is on.

Hopefully this is acceptable because:

1. A customized policy implementation is seldom used.

2. After JDK-8164705, we advise users to update their policy file so that the FilePermission path matches how a file is actually accessed. So if an application is reading "/pwd/x", the permission on "/pwd/x" (instead if "x") should be granted.

Thanks
Max

Reply via email to