Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8362175

Update CodeSource::implies API documentation and deprecate java.net.SocketPermission class for removal

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Unresolved
    • Icon: P3 P3
    • 26
    • security-libs
    • None
    • behavioral
    • minimal
    • Java API
    • SE

      Summary

      Deprecate java.net.SocketPermission for removal. Remove dependencies on SocketPermission from java.security.CodeSource.implies().

      Problem

      SocketPermission should be deprecated for removal as has already been done for many other Permission subclasses - see JDK-8353680. However, CodeSource.implies() has specification dependencies on SocketPermission which requires additional changes to decouple those dependencies.

      Solution

      Deprecate SocketPermission for removal. Remove the dependencies on SocketPermission from CodeSource.implies() by copying the relevant conditions from SocketPermission.implies().

      Note that we may also eventually deprecate CodeSource.implies for removal but that requires more investigation.

      Specification

      For SocketPermission, the Deprecated annotation is added indicating deprecation for removal:

      ```
@Deprecated(since="25", orRemoval = true)
```

      The @apiNote is changed to @deprecated so that the javadoc includes the text:

      ```
Deprecated, for removal: This API element is subject to removal in a future version.
This permission cannot be used for controlling access to resources as the Security Manager is no longer supported.
```

      For CodeSource.implies(), the following condition:

      • If this object's host (getLocation().getHost()) is not null, then the SocketPermission constructed with this object's host must imply the SocketPermission constructed with codesource's host.

      is replaced with:

      • If this object's host (getLocation().getHost()) is not null, then the following checks are made in order:

        • If this object's host was initialized with a single IP address then one of codesource's IP addresses must be equal to this object's IP address.
        • If this object's host is a wildcard domain (such as *.example.com), then codesource's canonical host name (the name without any preceding *) must end with this object's canonical host name. For example, *.example.com implies *.foo.example.com.
        • If this object's host was not initialized with a single IP address, then one of this object's IP addresses must equal one of codesource's IP addresses or this object's canonical host name must equal codesource's canonical host name.

            mullan Sean Mullan
            dfuchs Daniel Fuchs
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated: