JDK-6648816 : REGRESSION: setting -Djava.security.debug=failure result in NPE in ACC
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6u4
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: solaris_2.5.1
  • CPU: sparc
  • Submitted: 2008-01-09
  • Updated: 2011-03-07
  • Resolved: 2011-03-07
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 Other
6u10Fixed 7 b25Fixed OpenJDK6Fixed
Description
1) Write a simple negative (junit) test that uses AccessController.checkPermission

public void testACCNeg() {

try {
            AccessController.checkPermission(new TestPermission("nonExistPermission"));
            fail("Authorzation check should have failed");
        } catch (SecurityException se) {
            // ignore
        }
}

2) Run this test with -Djava.security.debug=failure, and you will see output similar to the following:

     [java] TestCase: testACCNeg
     [java] ERROR Message: java.lang.NullPointerException
     [java]     at java.security.AccessControlContext.checkPermission(AccessControlContext.java:311)
     [java]     at java.security.AccessController.checkPermission(AccessController.java:546)

3) Here is the offending code in AccessController.java:

		    if (!dumpDebug) {
			debug.println("access denied " + perm);
		    }

The conditional is incorrect and the field debug is null -- hence the NPE. The "!" should be removed.

Release Regression From : 6u3
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

Release Regression From : 6
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

Release Regression From : 6
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.
Comments
WORK AROUND If user wanna 'falure' debug message, they have to enable security manager. As a workaround, "-Djava.security.manager -Djava.security.debug=access,failure" is the expected definitions.
15-02-2008
WORK AROUND Actually the customer states, they used "access,failure" when they ran into the NPE.
14-01-2008
WORK AROUND Just like the "stack", "domain" debug options, the "failure" only works as a sub option of "access". If one wanna enable "failure" option, please use -Djava.security.debug=access,failure.
10-01-2008
EVALUATION AccessControlContext.checkPermission(Permission) does not check the 'debug' instance.
10-01-2008
WORK AROUND The only workaround is to NOT set -Djava.security.debug=failure, which is really not a workaround and is considered a very severe restriction considering the limited debug logging facility available in JVM.
09-01-2008