JDK-8213889 : URLPermission with query or fragment behaves incorrectly
  • Type: CSR
  • Component: core-libs
  • Sub-Component: java.net
  • Priority: P4
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 12
  • Submitted: 2018-11-14
  • Updated: 2018-11-14
  • Resolved: 2018-11-14
Related Reports
CSR :  
Description
Summary
-------

Spec clarification for URLPermission in the case where an instance is created with a query and/or fragment in the url string.

Problem
-------

java.net.URLPermission is specified to accept only the scheme, authority and path components of given URLs. The intent (and wording of the spec) was that other components would be ignored. However, the implementation is not currently ignoring it, which is a bug. As part of fixing the bug we would like to tighten up the spec to specify the components that we are ignoring, to distinguish them from URLs that are invalid.

Solution
--------

A small change to the class docs for URLPermission.

Specification
-------------

Change the following in the class level apidoc for java.net.URLPermission.

    diff -r 04d7e790aa2e src/java.base/share/classes/java/net/URLPermission.java
    --- a/src/java.base/share/classes/java/net/URLPermission.java   Fri Nov 09 10:38:07 2018 +0100
    +++ b/src/java.base/share/classes/java/net/URLPermission.java   Tue Nov 13 16:28:06 2018 +0000
    @@ -41,7 +41,7 @@
      * <p><b>The url</b><p>
      * The url string has the following expected structure.
      * <pre>
    - *     scheme : // authority [ / path ]
    + *     scheme : // authority [ / path ] [ ignored-query-or-fragment ]
      * </pre>
      * <i>scheme</i> will typically be http or https, but is not restricted by this
      * class.
    @@ -108,6 +108,16 @@
      * {@link #hashCode()} and {@link #implies(Permission)} are case insensitive with respect
      * to these components. If the <i>authority</i> contains a literal IP address,
      * then the address is normalized for comparison. The path component is case sensitive.
    + * <p>
    + * <i>ignored-query-or-fragment</i> refers to any query or fragment which appears after the
    + * path component, and which is ignored by the constructors of this class. It is defined as:
    + * <pre>
    + *     ignored-query-or-fragment = [ ? query ] [ # fragment ]
    + * </pre>
    + * where <i>query</i> and <i>fragment</i> are as defined in
    + * <a href="http://www.ietf.org/rfc/rfc2296.txt">RFC2396</a>. {@link #getName()} therefore returns
    + * only the <i>scheme</i>, <i>authority</i> and <i>path</i> components of the url string that
    + * the permission was created with.
      * <p><b>The actions string</b><p>
      * The actions string of a URLPermission is a concatenation of the <i>method list</i>
      * and the <i>request headers list</i>. These are lists of the permitted request

Comments
Approved contingent on a release note being created to document the behavioral change.
14-11-2018