United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-8028215 ORB.init fails with SecurityException if properties select the JDK default ORB
JDK-8028215 : ORB.init fails with SecurityException if properties select the JDK default ORB

Details
Type:
Bug
Submit Date:
2013-11-12
Status:
Closed
Updated Date:
2013-12-20
Project Name:
JDK
Resolved Date:
2013-11-21
Component:
other-libs
OS:
Sub-Component:
corba
CPU:
Priority:
P2
Resolution:
Fixed
Affected Versions:
7u51,7u60,8
Fixed Versions:

Related Reports
Backport:
Backport:
Backport:
Backport:
Backport:
Backport:
Backport:
Relates:

Sub Tasks

Description
Consider the following test:

import org.omg.CORBA.ORB;
import java.util.Properties;

public class Test {
    public static void main(String[] args) {
	Properties props = new Properties();
	props.put("org.omg.CORBA.ORBClass",
                  "com.sun.corba.se.impl.orb.ORBImpl");
	props.put("org.omg.CORBA.ORBSingletonClass",
                  "com.sun.corba.se.impl.orb.ORBSingleton");
	ORB orb = ORB.init(args, props);
    }
}

Now run this with a security manager:

$ java -Djava.security.manager Test
Exception in thread "main" org.omg.CORBA.INITIALIZE: can't instantiate default ORB implementation com.sun.corba.se.impl.orb.ORBImpl  vmcid: 0x0  minor code: 0  completed: No
	at org.omg.CORBA.ORB.create_impl(ORB.java:306)
	at org.omg.CORBA.ORB.init(ORB.java:345)
	at Test2.main(Test2.java:11)
Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.com.sun.corba.se.impl.orb")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:457)
	at java.security.AccessController.checkPermission(AccessController.java:884)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1571)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:305)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(Class.java:340)
	at org.omg.CORBA.ORB.create_impl(ORB.java:304)
	... 2 more

This is new behavior, in shipping JDK releases then this would run without throwing a security exception.


                                    

Comments
The changes for JDK-8021257 did not take account of cases where ORB.init specifies properties that selects the default ORB. This needs to be special-cased to avoid requiring additional permissions.
                                     
2013-11-12
It is worth noting that the ORBSingleton property will have no effect in this scenario.
An alternative ORBSingleton can be specified via a system property
                                     
2013-11-12
Release team: Approved for fixing
                                     
2013-11-19
URL:   http://hg.openjdk.java.net/jdk8/tl/corba/rev/fe781b3badd6
User:  msheppar
Date:  2013-11-21 11:35:15 +0000

                                     
2013-11-21
URL:   http://hg.openjdk.java.net/jdk8/tl/jdk/rev/d5d4b9a63174
User:  msheppar
Date:  2013-11-21 11:38:53 +0000

                                     
2013-11-21
SQE ok-ed (PIT done)
                                     
2013-11-26
URL:   http://hg.openjdk.java.net/jdk8/jdk8/corba/rev/fe781b3badd6
User:  lana
Date:  2013-12-03 18:50:45 +0000

                                     
2013-12-03
URL:   http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/d5d4b9a63174
User:  lana
Date:  2013-12-03 19:10:36 +0000

                                     
2013-12-03



Hardware and Software, Engineered to Work Together