JDK-8043296 : De-privilege DNS name service provider
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 9
  • Priority: P3
  • Status: Resolved
  • Resolution: Not an Issue
  • Submitted: 2014-05-16
  • Updated: 2016-05-20
  • Resolved: 2016-05-20
Related Reports
Relates :  
Relates :  
DNS name service provider is installed in the extension directory and currently granted with AllPermission.   A service provider implementation should need SocketPermission and not need AllPermission.

The prototype to change the permissions for dnsns.jar uncovers a circular problem in networking security when performing a security check, SocketPermission will first resolve a name to get the IP address.  When there is a DNS nameservice provider not with AllPermission, checking the SocketPermission will iterate each name service provider to get address (in this case it's the DNSNameService) that triggers another socket permission check. When it used to have AllPermission, the socket permission check was fast-path and I think it's the first time running into this problem when we change the permissions for dnsns.jar.

This is to follow up to evaluate the permissions required by DNS name service provider.
this should not be an issue now ... it's been removed

JDK-8134577 removed the JNDI DNS NameService provider. In fact, the NameService service type has also been removed. Is this issue still relevant, or can it be closed out?

This issue is in open status, but still unassigned. Could you specify an assignee?