Update CodeSource::implies API documentation and deprecate java.net.SocketPermission class for removal

XMLWordPrintable

    • Type: CSR
    • Resolution: Approved
    • Priority: P3
    • 26
    • Component/s: security-libs
    • None
    • minimal
    • Java API
    • SE

      Summary

      Deprecate java.net.SocketPermission for removal. Remove dependencies on SocketPermission from java.security.CodeSource.implies().

      Problem

      SocketPermission should be deprecated for removal as has already been done for many other Permission subclasses - see JDK-8353680. However, CodeSource.implies() has specification dependencies on SocketPermission which requires additional changes to decouple those dependencies.

      We want to decouple these dependencies so SocketPermission and CodeSource.implies() can be deprecated and/or removed independently of each other.

      Solution

      Deprecate SocketPermission for removal. Remove the dependencies on SocketPermission from CodeSource.implies() by copying the relevant conditions from SocketPermission.implies().

      This is strictly a docs change. There is no behavior change. The implementation remains the same.

      Note that we may also eventually deprecate CodeSource.implies for removal but that requires more investigation.

      Specification

      For SocketPermission, the Deprecated annotation is added indicating deprecation for removal:

      @Deprecated(since="26", forRemoval = true)

      The @apiNote is changed to @deprecated so that the javadoc includes the text:

      This permission cannot be used for controlling access to resources as the Security Manager is no longer supported.

      For CodeSource.implies(), the following condition:

      • If this object's host (getLocation().getHost()) is not null, then the SocketPermission constructed with this object's host must imply the SocketPermission constructed with <i>codesource</i>'s host.

      is replaced with:

      • If this object's host (getLocation().getHost()) is not null, then the following checks are made in order:
      * If this object's host was initialized with a single IP
  address then one of <i>codesource</i>'s IP addresses must be
  equal to this object's IP address.
* If this object's host is a wildcard domain (such as
  *.example.com), then <i>codesource</i>'s canonical host name
  (the name without any preceding *) must end with this object's
  canonical host name. For example, *.example.com implies
  *.foo.example.com.
* If this object's host was not initialized with a single
  IP address, then one of this object's IP addresses must equal
  one of <i>codesource</i>'s IP addresses or this object's
  canonical host name must equal <i>codesource</i>'s canonical
  host name.

            Assignee:
            Sean Mullan
            Reporter:
            Daniel Fuchs
            Jaikiran Pai, Lance Andersen, Roger Riggs
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: