JDK-8033924 : Default permissions are not given for eval code
  • Type: Bug
  • Component: core-libs
  • Sub-Component: jdk.nashorn
  • Affected Version: 9
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2014-02-07
  • Updated: 2014-07-29
  • Resolved: 2014-02-07
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
8u20Fixed 9 b04Fixed
When javax.script API is used to evaluate a (string) script, the script does not get the default permissions given to any code. The same is true when "jjs" is run in interactive mode under security manager.


import javax.script.*;

public class Main {
  public static void main(String[] ar) throws ScriptException {
     ScriptEngineManager m = new ScriptEngineManager();
     ScriptEngine e = m.getEngineByName("nashorn");


results in security exception (it should not). Another example:

jjs -J-Djava.security.manager
jjs> java.lang.System.getProperty("java.version")
java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.version" "read")