changeset 30790:f81f9725a1c6

8065233: Remove Policy provider code that synchronizes on identityPolicyEntries List Reviewed-by: weijun
author mullan
date Sun, 24 May 2015 08:54:38 -0400
parents 9eca83469588
children 425c19d93347
files jdk/src/java.base/share/classes/sun/security/provider/PolicyFile.java jdk/src/java.base/share/conf/security/java.security
diffstat 2 files changed, 4 insertions(+), 48 deletions(-) [+]
line wrap: on
line diff
--- a/jdk/src/java.base/share/classes/sun/security/provider/PolicyFile.java	Fri May 22 16:43:39 2015 -0700
+++ b/jdk/src/java.base/share/classes/sun/security/provider/PolicyFile.java	Sun May 24 08:54:38 2015 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -278,7 +278,6 @@
     private boolean constructed = false;
 
     private boolean expandProperties = true;
-    private boolean ignoreIdentityScope = true;
     private boolean allowSystemProperties = true;
     private boolean notUtf8 = false;
     private URL url;
@@ -415,8 +414,6 @@
             public String run() {
                 expandProperties = "true".equalsIgnoreCase
                     (Security.getProperty("policy.expandProperties"));
-                ignoreIdentityScope = "true".equalsIgnoreCase
-                    (Security.getProperty("policy.ignoreIdentityScope"));
                 allowSystemProperties = "true".equalsIgnoreCase
                     (Security.getProperty("policy.allowSystemProperty"));
                 notUtf8 = "false".equalsIgnoreCase
@@ -1206,31 +1203,6 @@
             addPermissions(perms, cs, principals, entry);
         }
 
-        // Go through policyEntries gotten from identity db; sync required
-        // because checkForTrustedIdentity (below) might update list
-        synchronized (pi.identityPolicyEntries) {
-            for (PolicyEntry entry : pi.identityPolicyEntries) {
-                addPermissions(perms, cs, principals, entry);
-            }
-        }
-
-        // now see if any of the keys are trusted ids.
-        if (!ignoreIdentityScope) {
-            Certificate certs[] = cs.getCertificates();
-            if (certs != null) {
-                for (int k=0; k < certs.length; k++) {
-                    Object idMap = pi.aliasMapping.get(certs[k]);
-                    if (idMap == null &&
-                        checkForTrustedIdentity(certs[k], pi)) {
-                        // checkForTrustedIdentity added it
-                        // to the policy for us. next time
-                        // around we'll find it. This time
-                        // around we need to add it.
-                        perms.add(SecurityConstants.ALL_PERMISSION);
-                    }
-                }
-            }
-        }
         return perms;
     }
 
@@ -1620,7 +1592,7 @@
      * associated with the given code source.
      *
      * The signer certificates are those certificates that were used
-     * to verifysigned code originating from the codesource location.
+     * to verify signed code originating from the codesource location.
      *
      * This method assumes that in the given code source, each signer
      * certificate is followed by its supporting certificate chain
@@ -1917,17 +1889,6 @@
     }
 
     /**
-     * Checks public key. If it is marked as trusted in
-     * the identity database, add it to the policy
-     * with the AllPermission.
-     */
-    private boolean checkForTrustedIdentity(final Certificate cert,
-        PolicyInfo myInfo)
-    {
-        return false;
-    }
-
-    /**
      * Each entry in the policy configuration file is represented by a
      * PolicyEntry object.  <p>
      *
@@ -2282,10 +2243,6 @@
         // Stores grant entries in the policy
         final List<PolicyEntry> policyEntries;
 
-        // Stores grant entries gotten from identity database
-        // Use separate lists to avoid sync on policyEntries
-        final List<PolicyEntry> identityPolicyEntries;
-
         // Maps aliases to certs
         final Map<Object, Object> aliasMapping;
 
@@ -2295,8 +2252,6 @@
 
         PolicyInfo(int numCaches) {
             policyEntries = new ArrayList<>();
-            identityPolicyEntries =
-                Collections.synchronizedList(new ArrayList<PolicyEntry>(2));
             aliasMapping = Collections.synchronizedMap(new HashMap<>(11));
 
             pdMapping = new ProtectionDomainCache[numCaches];
--- a/jdk/src/java.base/share/conf/security/java.security	Fri May 22 16:43:39 2015 -0700
+++ b/jdk/src/java.base/share/conf/security/java.security	Sun May 24 08:54:38 2015 -0400
@@ -179,7 +179,8 @@
 
 # whether or not we look into the IdentityScope for trusted Identities
 # when encountering a 1.1 signed JAR file. If the identity is found
-# and is trusted, we grant it AllPermission.
+# and is trusted, we grant it AllPermission. Note: the default policy
+# provider (sun.security.provider.PolicyFile) does not support this property.
 policy.ignoreIdentityScope=false
 
 #