JDK-8028215 : ORB.init fails with SecurityException if properties select the JDK default ORB
  • Type: Bug
  • Component: other-libs
  • Sub-Component: corba
  • Affected Version: 7u51,7u60,8
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2013-11-12
  • Updated: 2014-02-12
  • Resolved: 2013-11-21
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other Other JDK 6 JDK 7 JDK 8
5.0u61Fixed 5.0u65Fixed 6u71Fixed 7u51Fixed 8 b119Fixed
Related Reports
Relates :  
Description
Consider the following test:

import org.omg.CORBA.ORB;
import java.util.Properties;

public class Test {
    public static void main(String[] args) {
	Properties props = new Properties();
	props.put("org.omg.CORBA.ORBClass",
                  "com.sun.corba.se.impl.orb.ORBImpl");
	props.put("org.omg.CORBA.ORBSingletonClass",
                  "com.sun.corba.se.impl.orb.ORBSingleton");
	ORB orb = ORB.init(args, props);
    }
}

Now run this with a security manager:

$ java -Djava.security.manager Test
Exception in thread "main" org.omg.CORBA.INITIALIZE: can't instantiate default ORB implementation com.sun.corba.se.impl.orb.ORBImpl  vmcid: 0x0  minor code: 0  completed: No
	at org.omg.CORBA.ORB.create_impl(ORB.java:306)
	at org.omg.CORBA.ORB.init(ORB.java:345)
	at Test2.main(Test2.java:11)
Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.com.sun.corba.se.impl.orb")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:457)
	at java.security.AccessController.checkPermission(AccessController.java:884)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1571)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:305)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(Class.java:340)
	at org.omg.CORBA.ORB.create_impl(ORB.java:304)
	... 2 more

This is new behavior, in shipping JDK releases then this would run without throwing a security exception.


Comments
SQE ok-ed (PIT done)
26-11-2013

Release team: Approved for fixing
19-11-2013

It is worth noting that the ORBSingleton property will have no effect in this scenario. An alternative ORBSingleton can be specified via a system property
12-11-2013

The changes for JDK-8021257 did not take account of cases where ORB.init specifies properties that selects the default ORB. This needs to be special-cased to avoid requiring additional permissions.
12-11-2013