On Sun, 19 May 2024 05:01:32 GMT, Joe Wang wrote:
>> Add two sample configuration files:
>>
>> jaxp-strict.properties: used to set strict configuration, stricter than
>> jaxp.properties in previous versions such as JDK 22
>>
>>> jaxp-compat.properties: used to regain compatibility from any
On Mon, 20 May 2024 12:55:24 GMT, Alan Bateman wrote:
>> src/java.xml/share/classes/module-info.java line 444:
>>
>>> 442: *
>>> 443: * Deploying with this configuration prevents processors from
>>> unknowingly making
>>> 444: * outbound network connections to fetch DTDs, or process XML that
On Fri, 24 May 2024 16:36:32 GMT, Joe Wang wrote:
>> Add two sample configuration files:
>>
>> jaxp-strict.properties: used to set strict configuration, stricter than
>> jaxp.properties in previous versions such as JDK 22
>>
>>> jaxp-compat.properties: used to regain compatibility from any
On Tue, 28 May 2024 16:27:24 GMT, Joe Wang wrote:
>> Add two sample configuration files:
>>
>> jaxp-strict.properties: used to set strict configuration, stricter than
>> jaxp.properties in previous versions such as JDK 22
>>
>>> jaxp-compat.properties: used to regain compatibility from any
On Thu, 2 Mar 2023 12:03:44 GMT, Pavel Rappo wrote:
> Please review this superficial documentation cleanup that was triggered by
> unrelated analysis of doc comments in JDK API.
>
> The only effect that this multi-area PR has on the JDK API Documentation
> (i.e. the observable effect on the ge
On Tue, 15 Oct 2024 15:52:13 GMT, David M. Lloyd wrote:
>> OK
>
> While I disagree with this change on the principle of "the system should
> operate as if no security manager were installed", the workaround for callers
> is actually rather simple:
>
>
> if (System.getSecurityManager() != null
This is the implementation of JEP 486: Permanently Disable the Security
Manager. See [JEP 486](https://openjdk.org/jeps/486) for more details. The
[CSR](https://bugs.openjdk.org/browse/JDK-8338412) describes in detail the main
changes in the JEP and also includes an apidiff of the specification
On Tue, 15 Oct 2024 16:34:06 GMT, David M. Lloyd wrote:
>> While making `LogManager.checkAccess` be a no-op might be more convenient,
>> it could unconditionally
>> permit operations that formerly required a permission check: clearly a bad
>> idea. Always throwing a `SecurityException` is the s
ager enabled. After we integrate this JEP,
> those calls will be removed in each area (client-libs, core-libs, security,
> etc).
>
> I don't expect each reviewer to review all the code changes in this JEP.
> Rather, I advise that you only focus on the changes for the area
>
On Thu, 17 Oct 2024 05:54:24 GMT, Alan Bateman wrote:
>> Ok, I'll also add an API note to `getClassContext()` to use `StackWalker`
>> instead.
>
> Okay, it already has `@see StackWalker`. My guess is that anything extending
> SM to call getClassContext is very old code. If that old code is comp
On Wed, 16 Oct 2024 20:42:11 GMT, Sean Mullan wrote:
>> The description for the SecurityException thrown by these methods were
>> adjusted to "if access to the screen is denied by desktop environment". If
>> you bring back the paragraphs that were removed then you
On Tue, 15 Oct 2024 17:01:59 GMT, Sean Mullan wrote:
>>> While making `LogManager.checkAccess` be a no-op might be more convenient,
>>> it could unconditionally permit operations that formerly required a
>>> permission check: clearly a bad idea. Always throwing a
On Tue, 15 Oct 2024 14:50:54 GMT, Daniel Fuchs wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 97 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486' into J
On Thu, 17 Oct 2024 17:59:20 GMT, Sean Mullan wrote:
>> All JGSS permission classes follow the same style:
>>
>> In `javax.security.auth.kerberos.DelegationPermission`:
>>
>> * This class is used to restrict the usage of the Kerberos
>> * delegation
On Tue, 15 Oct 2024 22:14:00 GMT, Sean Mullan wrote:
>> src/java.management/share/classes/javax/management/remote/JMXConnectorFactory.java
>> line 225:
>>
>>> 223: */
>>> 224: public static JMXConnector connect(JMXServiceURL serviceURL)
>
On Sat, 19 Oct 2024 07:54:07 GMT, Alan Bateman wrote:
> There are a couple of micro benchmarks in test/micro that fork with
> `jvmArgsPrepend={"-Djava.security.manager=allow"})`, they will need to be
> examined.
Fixed, will be in next drop. There are a couple of other micro tests that test
th
On Wed, 16 Oct 2024 15:53:33 GMT, Alan Bateman wrote:
>> **SLF4J** currently depends on this method when logger name mismatch
>> detection is enabled.
>>
>>
>>
>> See also:
>> - https://github.com/qos-ch/slf4j/pul
On Wed, 16 Oct 2024 06:58:40 GMT, Alan Bateman wrote:
>> Ok, I will revert it.
>
> The description for the SecurityException thrown by these methods were
> adjusted to "if access to the screen is denied by desktop environment". If
> you bring back the paragraphs that were removed then you might
On Wed, 16 Oct 2024 13:28:47 GMT, Weijun Wang wrote:
>> This is the implementation of JEP 486: Permanently Disable the Security
>> Manager. See [JEP 486](https://openjdk.org/jeps/486) for more details. The
>> [CSR](https://bugs.openjdk.org/browse/JDK-8338412) describes in detail the
>> main ch
On Tue, 22 Oct 2024 08:09:01 GMT, Prasanta Sadhukhan
wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 97 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486&#
On Tue, 29 Oct 2024 06:32:59 GMT, Alan Bateman wrote:
>> src/java.base/share/classes/java/util/concurrent/Executors.java line 529:
>>
>>> 527: * execute the given {@code callable} under the current access
>>> 528: * control context, with the current context class loader as the
>>> 529:
On Mon, 28 Oct 2024 21:00:35 GMT, Sean Mullan wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 186 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486' into J
ager enabled. After we integrate this JEP,
> those calls will be removed in each area (client-libs, core-libs, security,
> etc).
>
> I don't expect each reviewer to review all the code changes in this JEP.
> Rather, I advise that you only focus on the changes for the area
>
On Sun, 27 Oct 2024 00:15:24 GMT, Brent Christian wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 97 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486' int
On Fri, 25 Oct 2024 19:55:33 GMT, Roger Riggs wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 150 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486' into JD
On Fri, 25 Oct 2024 20:07:57 GMT, Roger Riggs wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 186 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486' into J
On Wed, 23 Oct 2024 11:58:26 GMT, Alan Bateman wrote:
>> test/jdk/java/lang/invoke/RevealDirectTest.java line 33:
>>
>>> 31: * @test
>>> 32: * @summary verify Lookup.revealDirect on a variety of input handles,
>>> with security manager
>>> 33: * @run
>>> main/othervm/policy=jtreg.security.p
On Thu, 24 Oct 2024 20:27:33 GMT, Alexey Ivanov wrote:
>> @seanjmullan Can you please advice on some of the following src file javadoc
>> related review comments. Do they need to be handled in this PR? Some of them
>> seem out-of-scope for jep486 PR.
>
> @honkar-jdk I'm inclined to leave it as
On Mon, 21 Oct 2024 22:51:54 GMT, Mandy Chung wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 97 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486' into J
ager enabled. After we integrate this JEP,
> those calls will be removed in each area (client-libs, core-libs, security,
> etc).
>
> I don't expect each reviewer to review all the code changes in this JEP.
> Rather, I advise that you only focus on the changes for the area
>
On Mon, 28 Oct 2024 21:02:44 GMT, Sean Mullan wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 175 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486' i
ager enabled. After we integrate this JEP,
> those calls will be removed in each area (client-libs, core-libs, security,
> etc).
>
> I don't expect each reviewer to review all the code changes in this JEP.
> Rather, I advise that you only focus on the changes for the area
>
ager enabled. After we integrate this JEP,
> those calls will be removed in each area (client-libs, core-libs, security,
> etc).
>
> I don't expect each reviewer to review all the code changes in this JEP.
> Rather, I advise that you only focus on the changes for the area
>
On Tue, 5 Nov 2024 18:58:22 GMT, Sean Mullan wrote:
>> This is the implementation of JEP 486: Permanently Disable the Security
>> Manager. See [JEP 486](https://openjdk.org/jeps/486) for more details. The
>> [CSR](https://bugs.openjdk.org/browse/JDK-8338412) describes in d
On Sun, 3 Nov 2024 12:33:05 GMT, Alan Bateman wrote:
>> Right - this paragraph - lines 1620-1625 (old file) / 1362-1367 (new file)
>> is no longer relevant and should be removed too. Thanks for spotting that.
>
> Removed in jep486 branch in sandbox so will get picked up when PR is
> refreshed.
On Fri, 25 Oct 2024 20:44:25 GMT, Roger Riggs wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 150 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486' into JD
On Mon, 28 Oct 2024 20:12:27 GMT, Roger Riggs wrote:
> Reviewed all tests under test/jaxp/javax/xml/jaxp. A few imports moved around
> unnecessarily but otherwise looks fine.
JAXP test comments fixed in
https://github.com/openjdk/jdk/pull/21498/commits/5577e4884710eba498ee5f40fa85d47eaa07364d
On Fri, 25 Oct 2024 21:18:41 GMT, Sean Mullan wrote:
> Comments on `java.security` classes.
>
> Also, I'd like to see some clarifications on what "the installed policy" or
> "the current policy" is. The `ProtectionDomain` mentions this when talking
>
On Tue, 29 Oct 2024 14:19:05 GMT, Weijun Wang wrote:
>> test/jdk/javax/xml/crypto/dsig/ErrorHandlerPermissions.java line 1:
>>
>>> 1: /*
>>
>> @wangweij It looks like this test can be deleted as it was specifically
>> trying to check that a `SecurityException` wasn't thrown, or did you think
On Tue, 29 Oct 2024 18:35:05 GMT, Brent Christian wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 186 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486&#
On Wed, 30 Oct 2024 19:28:32 GMT, Sean Mullan wrote:
>> This is the implementation of JEP 486: Permanently Disable the Security
>> Manager. See [JEP 486](https://openjdk.org/jeps/486) for more details. The
>> [CSR](https://bugs.openjdk.org/browse/JDK-8338412) describes in d
On Tue, 29 Oct 2024 17:07:56 GMT, Harshitha Onkar wrote:
>> src/java.desktop/share/classes/java/awt/Font.java line 1613:
>>
>>> 1611: * interpreted as a {@code Font} object according to the
>>> 1612: * specification of {@code Font.decode(String)}
>>> 1613: * If the specified prope
ager enabled. After we integrate this JEP,
> those calls will be removed in each area (client-libs, core-libs, security,
> etc).
>
> I don't expect each reviewer to review all the code changes in this JEP.
> Rather, I advise that you only focus on the changes for the area
>
On Tue, 22 Oct 2024 20:23:52 GMT, Roger Riggs wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 97 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486' into J
On Fri, 25 Oct 2024 20:48:14 GMT, Sean Mullan wrote:
>> src/java.base/share/classes/java/security/AccessControlContext.java line 32:
>>
>>> 30:
>>> 31: /**
>>> 32: * AccessControlContext was used with a SecurityManager for access
>>> contro
On Fri, 25 Oct 2024 20:59:07 GMT, Roger Riggs wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 150 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486' into JD
On Tue, 22 Oct 2024 20:20:16 GMT, Roger Riggs wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 97 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486' into J
On Fri, 25 Oct 2024 13:44:56 GMT, Sean Mullan wrote:
>> src/java.base/share/classes/java/io/SerializablePermission.java line 40:
>>
>>> 38: *
>>> 39: * @apiNote
>>> 40: * This permission cannot be used for controlling access to resources
>>>
On Tue, 22 Oct 2024 20:55:30 GMT, Harshitha Onkar wrote:
>> test/jdk/javax/swing/JEditorPane/8080972/TestJEditor.java line 49:
>>
>>> 47: SwingUtilities.invokeAndWait(TestJEditor::testJEditorPane);
>>> 48: }
>>> 49:
>>
>> Is there any need to catch the exception and rethrow Runtime
On Tue, 22 Oct 2024 21:01:24 GMT, Harshitha Onkar wrote:
>> test/jdk/javax/swing/UIDefaults/6795356/TableTest.java line 45:
>>
>>> (failed to retrieve contents of file, check the PR for context)
>> I guess we can test this without SM since it tests SwingLazyValue?
>
> I believe I had removed thi
On Wed, 23 Oct 2024 13:07:49 GMT, Daniel Fuchs wrote:
>> test/jdk/java/net/httpclient/websocket/security/WSURLPermissionTest.java
>> line 342:
>>
>>> 340: throws Exception
>>> 341: {
>>> 342: action.run();
>>
>> testWithNoSecurityManager was previously a sanity check, the t
On Fri, 25 Oct 2024 23:45:26 GMT, Weijun Wang wrote:
>> I'm not sure what would be a useful message. All the `SecurityManager` check
>> methods throw a `SecurityException` with no message. We had to specify
>> something here because `AccessControlException` doesn't have a no-args ctor.
>
> I se
On Mon, 21 Oct 2024 22:57:10 GMT, Mandy Chung wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 97 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486' into J
On Thu, 24 Oct 2024 15:04:08 GMT, Alexey Ivanov wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 150 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486&
On Fri, 25 Oct 2024 21:02:37 GMT, Sean Mullan wrote:
>> src/java.base/share/classes/java/security/Policy.java line 90:
>>
>>> 88: * and subject to removal in a future release. Consequently, this
>>> class
>>> 89: * is also depreca
On Tue, 15 Oct 2024 22:09:59 GMT, Sean Mullan wrote:
>> src/java.base/share/classes/java/net/URLClassLoader.java line 667:
>>
>>> 665: * @param codesource the codesource
>>> 666: * @throwsNullPointerException if {@code codesource} is {@code
>>
On Fri, 25 Oct 2024 18:52:24 GMT, Alexey Ivanov wrote:
>> @aivanov-jdk
>> On macOS, popup is shifted up and does not cover the taskbar even without
>> SM.
>>
>>> The updated test bug6694823.java works correctly on Windows and displays
>>> its popup over the Windows taskbar — it is expected.
On Fri, 25 Oct 2024 20:34:31 GMT, Sean Mullan wrote:
>> src/java.base/share/classes/java/security/Security.java line 489:
>>
>>> 487:
>>> 488: /**
>>> 489: * Adds a provider to the next position available..
>>
>> Two periods at t
On Thu, 24 Oct 2024 15:57:25 GMT, Alexey Ivanov wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 150 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486&
On Fri, 25 Oct 2024 23:20:02 GMT, Alexander Zuev wrote:
>> Right the JBS is about SM & SecurityException, but the test was repurposed
>> to check if InvalidMidiDataException is thrown and to test this case for
>> code coverage (when it was initially reviewed).
>> I can update the test summary
On Thu, 24 Oct 2024 15:01:44 GMT, Alexey Ivanov wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 150 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486&
On Fri, 25 Oct 2024 23:58:33 GMT, Weijun Wang wrote:
>>> The class spec still mentions "permissions which are retrieved by the
>>> system policy by default". Shall we remove it?
>>
>> Yes I think we can remove that text.
>>
>>> Also, getPermissions always returns an empty Permissions object,
On Fri, 25 Oct 2024 20:31:40 GMT, Harshitha Onkar wrote:
>> test/jdk/javax/swing/JPopupMenu/6691503/bug6691503.java line 1:
>>
>>> 1: /*
>>
>> I think we can delete this test. It verifies that popup menus are displayed
>> in a windows `isAlwaysOnTop() == true` in stand-alone apps whereas for
ager enabled. After we integrate this JEP,
> those calls will be removed in each area (client-libs, core-libs, security,
> etc).
>
> I don't expect each reviewer to review all the code changes in this JEP.
> Rather, I advise that you only focus on the changes for the area
>
On Thu, 24 Oct 2024 19:33:23 GMT, Roger Riggs wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 150 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486' into JD
On Mon, 28 Oct 2024 12:29:07 GMT, Sean Mullan wrote:
>> This is the implementation of JEP 486: Permanently Disable the Security
>> Manager. See [JEP 486](https://openjdk.org/jeps/486) for more details. The
>> [CSR](https://bugs.openjdk.org/browse/JDK-8338412) describes in d
On Wed, 23 Oct 2024 12:14:24 GMT, Alan Bateman wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 97 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486' into J
On Tue, 22 Oct 2024 21:36:06 GMT, Mandy Chung wrote:
> Reviewed test/jdk/java/lang/** and test/jdk/sun/reflect/* tests.
Thanks for the comprehensive review. I have incorporated all of your comments
except for removing the enum from
`java/lang/Class/getDeclaredField/FieldSetAccessibleTest.java`
On Mon, 14 Oct 2024 13:52:24 GMT, Sean Mullan wrote:
> This is the implementation of JEP 486: Permanently Disable the Security
> Manager. See [JEP 486](https://openjdk.org/jeps/486) for more details. The
> [CSR](https://bugs.openjdk.org/browse/JDK-8338412) describes in detail th
On Thu, 24 Oct 2024 17:03:25 GMT, Alexey Ivanov wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 150 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486&
On Fri, 8 Nov 2024 18:31:13 GMT, Harshitha Onkar wrote:
>> It has a value… when it's mentioned with `@see`, the link is present in the
>> *See Also* section, as you can see in the the specification of
>> [`MouseInfo.getPointerInfo()`](https://docs.oracle.com/en/java/javase/21/docs/api/java.desk
On Fri, 1 Nov 2024 19:40:03 GMT, Alexey Ivanov wrote:
>> Sean Mullan has updated the pull request with a new target base due to a
>> merge or a rebase. The pull request now contains 200 commits:
>>
>> - Merge remote-tracking branch 'jdk-sandbox/jep486' into
ager enabled. After we integrate this JEP,
> those calls will be removed in each area (client-libs, core-libs, security,
> etc).
>
> I don't expect each reviewer to review all the code changes in this JEP.
> Rather, I advise that you only focus on the changes for the area
>
ager enabled. After we integrate this JEP,
> those calls will be removed in each area (client-libs, core-libs, security,
> etc).
>
> I don't expect each reviewer to review all the code changes in this JEP.
> Rather, I advise that you only focus on the changes for the area
>
On Fri, 25 Oct 2024 19:44:54 GMT, Weijun Wang wrote:
> Comments on `java.security` classes.
>
> Also, I'd like to see some clarifications on what "the installed policy" or
> "the current policy" is. The `ProtectionDomain` mentions this when talking
> about dynamic permissions. On the other han
On Tue, 15 Oct 2024 13:51:18 GMT, Daniel Fuchs wrote:
>> This is the implementation of JEP 486: Permanently Disable the Security
>> Manager. See [JEP 486](https://openjdk.org/jeps/486) for more details. The
>> [CSR](https://bugs.openjdk.org/browse/JDK-8338412) describes in detail the
>> main c
On Tue, 15 Oct 2024 15:01:00 GMT, Daniel Fuchs wrote:
>> This is the implementation of JEP 486: Permanently Disable the Security
>> Manager. See [JEP 486](https://openjdk.org/jeps/486) for more details. The
>> [CSR](https://bugs.openjdk.org/browse/JDK-8338412) describes in detail the
>> main c
On Tue, 15 Oct 2024 19:11:24 GMT, Mandy Chung wrote:
>> This is the implementation of JEP 486: Permanently Disable the Security
>> Manager. See [JEP 486](https://openjdk.org/jeps/486) for more details. The
>> [CSR](https://bugs.openjdk.org/browse/JDK-8338412) describes in detail the
>> main ch
On Tue, 15 Oct 2024 21:17:37 GMT, Phil Race wrote:
>> This is the implementation of JEP 486: Permanently Disable the Security
>> Manager. See [JEP 486](https://openjdk.org/jeps/486) for more details. The
>> [CSR](https://bugs.openjdk.org/browse/JDK-8338412) describes in detail the
>> main chan
On Thu, 17 Oct 2024 11:24:56 GMT, Weijun Wang wrote:
>> In general, I tried to remove any text from the Permission classes that
>> described behavior if the permissions were granted. So in the above I
>> removed the text because it had words like "protect" and "accessed" and
>> referred to `co
ager enabled. After we integrate this JEP,
> those calls will be removed in each area (client-libs, core-libs, security,
> etc).
>
> I don't expect each reviewer to review all the code changes in this JEP.
> Rather, I advise that you only focus on the changes for the area
>
81 matches
Mail list logo
