United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6648816 REGRESSION: setting -Djava.security.debug=failure result in NPE in ACC
JDK-6648816 : REGRESSION: setting -Djava.security.debug=failure result in NPE in ACC

Details
Type:
Bug
Submit Date:
2008-01-09
Status:
Closed
Updated Date:
2011-03-07
Project Name:
JDK
Resolved Date:
2011-03-07
Component:
security-libs
OS:
solaris_2.5.1
Sub-Component:
java.security
CPU:
sparc
Priority:
P3
Resolution:
Fixed
Affected Versions:
6u4
Fixed Versions:

Related Reports
Backport:
Backport:
Backport:

Sub Tasks

Description
1) Write a simple negative (junit) test that uses AccessController.checkPermission

public void testACCNeg() {

try {
            AccessController.checkPermission(new TestPermission("nonExistPermission"));
            fail("Authorzation check should have failed");
        } catch (SecurityException se) {
            // ignore
        }
}

2) Run this test with -Djava.security.debug=failure, and you will see output similar to the following:

     [java] TestCase: testACCNeg
     [java] ERROR Message: java.lang.NullPointerException
     [java]     at java.security.AccessControlContext.checkPermission(AccessControlContext.java:311)
     [java]     at java.security.AccessController.checkPermission(AccessController.java:546)

3) Here is the offending code in AccessController.java:

		    if (!dumpDebug) {
			debug.println("access denied " + perm);
		    }

The conditional is incorrect and the field debug is null -- hence the NPE. The "!" should be removed.

Release Regression From : 6u3
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

Release Regression From : 6
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

Release Regression From : 6
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

                                    

Comments
WORK AROUND

The only workaround is to NOT set -Djava.security.debug=failure, which is really not a workaround and is considered a very severe restriction considering the limited debug logging facility available in JVM.
                                     
2008-01-09
EVALUATION

AccessControlContext.checkPermission(Permission) does not check the 'debug' instance.
                                     
2008-01-10
WORK AROUND

Just like the "stack", "domain" debug options, the "failure" only works as a sub option of "access". If one wanna enable "failure" option, please use -Djava.security.debug=access,failure.
                                     
2008-01-10
WORK AROUND

Actually the customer states, they used "access,failure" when they ran into the NPE.
                                     
2008-01-14
WORK AROUND

If user wanna 'falure' debug message, they have to enable security manager. As a workaround, "-Djava.security.manager -Djava.security.debug=access,failure" is the expected definitions.
                                     
2008-02-15



Hardware and Software, Engineered to Work Together