JDK-4993819 : standard extensions path is hard-coded in default system policy file
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 5.0
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: solaris_8
  • CPU: sparc
  • Submitted: 2004-02-12
  • Updated: 2017-05-16
  • Resolved: 2004-04-12
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
5.0 beta2Fixed
Related Reports
Relates :  
JDK-4215035 - standard extensions path is hard-coded in default system policy file
Relates :  
JDK-4989260 - Java Upgrade: System wide repository for JARs and native libraries on windows
Description
The default system policy file (in jre/lib/security/java.policy)
grants all permissions to standard extensions, as follows:

grant codeBase "file:${java.home}/lib/ext/*" {
        permission java.security.AllPermission;
};

This uses a hardcoded path to the extensions directory, but the user can change
the extensions directory by setting the "java.ext.dirs" system property.
When the user does that, the grant statement in the default policy is useless.

In 1.4, 4215035 was filed and this same problem was partially fixed.
The policy code was modified to accept ${java.ext.dirs} and treat it
appropriately. However, ${java.ext.dirs} is confusing because that's
the syntax of expanding any system property in place. ${java.ext.dirs}
can be used to indicate a list of directories.  Also, the default policy
file was not changed.


The proposal is to define a new policy file general expansion protocol for "java.ext.dirs"
that has rules for how the protocol is to be treated. Also, update
the default policy file itself to use this new grant statement.

grant codebase "file:${{java.ext.dirs}}/*" {
	permission java.security.AllPermission;
};

This will help plug-in support system-wide repositories in their migration
from MSVM without making any special policy/security changes. See discussion
in Comments section.
Comments
CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: tiger-beta2 FIXED IN: tiger-beta2 INTEGRATED IN: tiger-beta2
14-06-2004
SUGGESTED FIX Define a new protocol for "general expansion" in the Policy File syntax, called "java.ext.dirs", that denotes the list of file directories obtained by expanding the "java.ext.dirs" System property. It can be used only when specifying codebases in the grant statements. General expansions are specified using double curly braces, as defined in the Policy File Syntax specification. The "grant" statement in the default policy file will then be changed to: grant codeBase "file:${{java.ext.dirs}}/*" { permission java.security.AllPermission; }; The effect of using this protocol is that it creates grant statements for each codebase generated by expanding the java.ext.dirs system property and using it in place of expansion. For example, if java.ext.dirs=/tmp/ExtDirsA:/tmp/ExtDirsB, the above grant statement will expand to grant codeBase "file:/tmp/ExtDirsA/*" { permission java.security.AllPermission; }; grant codeBase "file:/tmp/ExtDirsB/*" { permission java.security.AllPermission; }; If the codebase does not contain a prefix prior to ${{java.ext.dirs}}, it will default to "file:". If the codebase does not contain a suffix, it will default to "/*". In addition, the Extensions Mechanism Architecture specification should be clarified. Currently, it is inconsistent. In one place, it says that extensions installed in the standard directory are trusted while in another place, it says that all installed extensions are trusted.
11-06-2004
EVALUATION Fix as suggested. ###@###.### 2004-02-12
12-02-2004