-
Bug
-
Resolution: Won't Fix
-
P4
-
None
-
None
-
None
Consider this trivial Java code:
import java.net.*;
public class Test {
public static void main(final String[] args) throws Exception {
@SuppressWarnings("removal")
final SecurityManager sm = System.getSecurityManager();
if (sm == null) {
System.err.println("Usage error: This test requires security manager to be enabled");
System.exit(1);
return;
}
sm.checkPermission(new URLPermission("http://127.0.0.1:8080", "GET:*"));
System.out.println("Success");
}
}
All it does is call the SecurityManager.checkPermission(...)
Now consider the corresponding security policy file named test.policy:
grant codeBase "file:./-" {
permission java.net.URLPermission "http://127.0.0.1:*/-", "GET";
permission java.net.URLPermission "https://127.0.0.1:*/-", "GET";
};
Place both the java file and the policy file in the same directory and run the following commands:
- cd <the-dir-containing-the-files>
- javac Test.java
- java -cp . -Djava.security.manager=default -Djava.security.policy=test.policy Test
when the above java command is issued, you will see:
WARNING: A command line option has enabled the Security Manager
WARNING: The Security Manager is deprecated and will be removed in a future release
java.security.policy: error adding Permission, java.net.URLPermission:
java.util.ServiceConfigurationError: Locale provider adapter "CLDR"cannot be instantiated.
java.security.policy: error adding Permission, java.net.URLPermission:
java.util.ServiceConfigurationError: Locale provider adapter "CLDR"cannot be instantiated.
Exception in thread "main" java.security.AccessControlException: access denied ("java.net.URLPermission" "http://127.0.0.1:8080" "GET:*")
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:488)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1071)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:411)
at Test.main(Test.java:12)
Ignore the exception, but notice the error message before the exception:
java.security.policy: error adding Permission, java.net.URLPermission:
java.util.ServiceConfigurationError: Locale provider adapter "CLDR"cannot be instantiated.
java.security.policy: error adding Permission, java.net.URLPermission:
java.util.ServiceConfigurationError: Locale provider adapter "CLDR"cannot be instantiated.
So the policy file parsing is failing to parse the two URLPermissions that have been configured in the file.
The error message is strange and doesn't have any other detail.
The java version in use is:
openjdk 20 2023-03-21
OpenJDK Runtime Environment (build 20+36-2344)
OpenJDK 64-Bit Server VM (build 20+36-2344, mixed mode, sharing)
This is reproducible even in mainline jdk repo.
import java.net.*;
public class Test {
public static void main(final String[] args) throws Exception {
@SuppressWarnings("removal")
final SecurityManager sm = System.getSecurityManager();
if (sm == null) {
System.err.println("Usage error: This test requires security manager to be enabled");
System.exit(1);
return;
}
sm.checkPermission(new URLPermission("http://127.0.0.1:8080", "GET:*"));
System.out.println("Success");
}
}
All it does is call the SecurityManager.checkPermission(...)
Now consider the corresponding security policy file named test.policy:
grant codeBase "file:./-" {
permission java.net.URLPermission "http://127.0.0.1:*/-", "GET";
permission java.net.URLPermission "https://127.0.0.1:*/-", "GET";
};
Place both the java file and the policy file in the same directory and run the following commands:
- cd <the-dir-containing-the-files>
- javac Test.java
- java -cp . -Djava.security.manager=default -Djava.security.policy=test.policy Test
when the above java command is issued, you will see:
WARNING: A command line option has enabled the Security Manager
WARNING: The Security Manager is deprecated and will be removed in a future release
java.security.policy: error adding Permission, java.net.URLPermission:
java.util.ServiceConfigurationError: Locale provider adapter "CLDR"cannot be instantiated.
java.security.policy: error adding Permission, java.net.URLPermission:
java.util.ServiceConfigurationError: Locale provider adapter "CLDR"cannot be instantiated.
Exception in thread "main" java.security.AccessControlException: access denied ("java.net.URLPermission" "http://127.0.0.1:8080" "GET:*")
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:488)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1071)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:411)
at Test.main(Test.java:12)
Ignore the exception, but notice the error message before the exception:
java.security.policy: error adding Permission, java.net.URLPermission:
java.util.ServiceConfigurationError: Locale provider adapter "CLDR"cannot be instantiated.
java.security.policy: error adding Permission, java.net.URLPermission:
java.util.ServiceConfigurationError: Locale provider adapter "CLDR"cannot be instantiated.
So the policy file parsing is failing to parse the two URLPermissions that have been configured in the file.
The error message is strange and doesn't have any other detail.
The java version in use is:
openjdk 20 2023-03-21
OpenJDK Runtime Environment (build 20+36-2344)
OpenJDK 64-Bit Server VM (build 20+36-2344, mixed mode, sharing)
This is reproducible even in mainline jdk repo.