changeset 58559:12c874ae6810

8235459: HttpRequest.BodyPublishers::ofFile assumes the default file system Summary: Add support for non-default file systems to HttpRequest.BodyPublishers::ofFile Reviewed-by: chegar, dfuchs, amlu
author jboes
date Thu, 26 Mar 2020 11:52:15 +0000
parents 51acdbbcfea3
children c69cdcdb8a88
files src/java.net.http/share/classes/java/net/http/HttpRequest.java src/java.net.http/share/classes/jdk/internal/net/http/RequestPublishers.java test/jdk/java/net/httpclient/FilePublisher/FilePublisherPermsTest.java test/jdk/java/net/httpclient/FilePublisher/FilePublisherPermsTest1.policy test/jdk/java/net/httpclient/FilePublisher/FilePublisherPermsTest2.policy test/jdk/java/net/httpclient/FilePublisher/FilePublisherPermsTest3.policy test/jdk/java/net/httpclient/FilePublisher/FilePublisherTest.java test/jdk/java/net/httpclient/FilePublisher/FilePublisherTest.policy test/jdk/java/net/httpclient/FilePublisher/SecureZipFSProvider.java
diffstat 9 files changed, 1488 insertions(+), 47 deletions(-) [+]
line wrap: on
line diff
--- a/src/java.net.http/share/classes/java/net/http/HttpRequest.java	Thu Mar 26 03:15:02 2020 +0100
+++ b/src/java.net.http/share/classes/java/net/http/HttpRequest.java	Thu Mar 26 11:52:15 2020 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,6 +31,8 @@
 import java.nio.ByteBuffer;
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.OpenOption;
 import java.nio.file.Path;
 import java.time.Duration;
 import java.util.Iterator;
@@ -614,12 +616,16 @@
          * method, when the {@code BodyPublisher} is created. Care must be taken
          * that the {@code BodyPublisher} is not shared with untrusted code.
          *
-         * @param path the path to the file containing the body
+         * @param  path the path to the file containing the body
          * @return a BodyPublisher
          * @throws java.io.FileNotFoundException if the path is not found
-         * @throws SecurityException if a security manager has been installed
-         *          and it denies {@link SecurityManager#checkRead(String)
-         *          read access} to the given file
+         * @throws SecurityException if
+         *         {@linkplain Files#newInputStream(Path, OpenOption...)
+         *         opening the file for reading} is denied:
+         *         in the case of the system-default file system provider,
+         *         and a security manager is installed,
+         *         {@link SecurityManager#checkRead(String) checkRead}
+         *         is invoked to check read access to the given file
          */
         public static BodyPublisher ofFile(Path path) throws FileNotFoundException {
             Objects.requireNonNull(path);
--- a/src/java.net.http/share/classes/jdk/internal/net/http/RequestPublishers.java	Thu Mar 26 03:15:02 2020 +0100
+++ b/src/java.net.http/share/classes/jdk/internal/net/http/RequestPublishers.java	Thu Mar 26 11:52:15 2020 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,20 +25,20 @@
 
 package jdk.internal.net.http;
 
-import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FilePermission;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.UncheckedIOException;
+import java.lang.reflect.UndeclaredThrowableException;
 import java.nio.ByteBuffer;
 import java.nio.charset.Charset;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.AccessControlContext;
 import java.security.AccessController;
-import java.security.PrivilegedAction;
+import java.security.Permission;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
@@ -50,6 +50,7 @@
 import java.util.concurrent.ConcurrentLinkedQueue;
 import java.util.concurrent.Flow;
 import java.util.concurrent.Flow.Publisher;
+import java.util.function.Function;
 import java.util.function.Supplier;
 import java.net.http.HttpRequest.BodyPublisher;
 import jdk.internal.net.http.common.Utils;
@@ -220,17 +221,17 @@
 
     /**
      * Publishes the content of a given file.
-     *
+     * <p>
      * Privileged actions are performed within a limited doPrivileged that only
      * asserts the specific, read, file permission that was checked during the
-     * construction of this FilePublisher.
+     * construction of this FilePublisher. This only applies if the file system
+     * that created the file provides interoperability with {@code java.io.File}.
      */
-    public static class FilePublisher implements BodyPublisher  {
+    public static class FilePublisher implements BodyPublisher {
 
-        private static final FilePermission[] EMPTY_FILE_PERMISSIONS = new FilePermission[0];
-
-        private final File file;
-        private final FilePermission[] filePermissions;
+        private final Path path;
+        private final long length;
+        private final Function<Path, InputStream> inputStreamSupplier;
 
         private static String pathForSecurityCheck(Path path) {
             return path.toFile().getPath();
@@ -243,48 +244,112 @@
          * FilePublisher. Permission checking and construction are deliberately
          * and tightly co-located.
          */
-        public static FilePublisher create(Path path) throws FileNotFoundException {
+        public static FilePublisher create(Path path)
+                throws FileNotFoundException {
+            SecurityManager sm = System.getSecurityManager();
             FilePermission filePermission = null;
-            SecurityManager sm = System.getSecurityManager();
-            if (sm != null) {
+            boolean defaultFS = true;
+
+            try {
                 String fn = pathForSecurityCheck(path);
-                FilePermission readPermission = new FilePermission(fn, "read");
-                sm.checkPermission(readPermission);
-                filePermission = readPermission;
+                if (sm != null) {
+                    FilePermission readPermission = new FilePermission(fn, "read");
+                    sm.checkPermission(readPermission);
+                    filePermission = readPermission;
+                }
+            } catch (UnsupportedOperationException uoe) {
+                defaultFS = false;
+                // Path not associated with the default file system
+                // Test early if an input stream can still be obtained
+                try {
+                    if (sm != null) {
+                        Files.newInputStream(path).close();
+                    }
+                } catch (IOException ioe) {
+                    if (ioe instanceof FileNotFoundException) {
+                        throw (FileNotFoundException) ioe;
+                    } else {
+                        var ex = new FileNotFoundException(ioe.getMessage());
+                        ex.initCause(ioe);
+                        throw ex;
+                    }
+                }
             }
 
             // existence check must be after permission checks
             if (Files.notExists(path))
                 throw new FileNotFoundException(path + " not found");
 
-            return new FilePublisher(path, filePermission);
+            Permission perm = filePermission;
+            assert perm == null || perm.getActions().equals("read");
+            AccessControlContext acc = sm != null ?
+                    AccessController.getContext() : null;
+            boolean finalDefaultFS = defaultFS;
+            Function<Path, InputStream> inputStreamSupplier = (p) ->
+                    createInputStream(p, acc, perm, finalDefaultFS);
+
+            long length;
+            try {
+                length = Files.size(path);
+            } catch (IOException ioe) {
+                length = -1;
+            }
+
+            return new FilePublisher(path, length, inputStreamSupplier);
         }
 
-        private FilePublisher(Path name, FilePermission filePermission) {
-            assert filePermission != null ? filePermission.getActions().equals("read") : true;
-            file = name.toFile();
-            this.filePermissions = filePermission == null ? EMPTY_FILE_PERMISSIONS
-                    : new FilePermission[] { filePermission };
+        private static InputStream createInputStream(Path path,
+                                                     AccessControlContext acc,
+                                                     Permission perm,
+                                                     boolean defaultFS) {
+            try {
+                if (acc != null) {
+                    PrivilegedExceptionAction<InputStream> pa = defaultFS
+                            ? () -> new FileInputStream(path.toFile())
+                            : () -> Files.newInputStream(path);
+                    return perm != null
+                            ? AccessController.doPrivileged(pa, acc, perm)
+                            : AccessController.doPrivileged(pa, acc);
+                } else {
+                    return defaultFS
+                            ? new FileInputStream(path.toFile())
+                            : Files.newInputStream(path);
+                }
+            } catch (PrivilegedActionException pae) {
+                throw toUncheckedException(pae.getCause());
+            } catch (IOException io) {
+                throw new UncheckedIOException(io);
+            }
+        }
+
+        private static RuntimeException toUncheckedException(Throwable t) {
+            if (t instanceof RuntimeException)
+                throw (RuntimeException) t;
+            if (t instanceof Error)
+                throw (Error) t;
+            if (t instanceof IOException)
+                throw new UncheckedIOException((IOException) t);
+            throw new UndeclaredThrowableException(t);
+        }
+
+        private FilePublisher(Path name,
+                              long length,
+                              Function<Path, InputStream> inputStreamSupplier) {
+            path = name;
+            this.length = length;
+            this.inputStreamSupplier = inputStreamSupplier;
         }
 
         @Override
         public void subscribe(Flow.Subscriber<? super ByteBuffer> subscriber) {
             InputStream is = null;
             Throwable t = null;
-            if (System.getSecurityManager() == null) {
-                try {
-                    is = new FileInputStream(file);
-                } catch (IOException ioe) {
-                    t = ioe;
-                }
-            } else {
-                try {
-                    PrivilegedExceptionAction<FileInputStream> pa =
-                            () -> new FileInputStream(file);
-                    is = AccessController.doPrivileged(pa, null, filePermissions);
-                } catch (PrivilegedActionException pae) {
-                    t = pae.getCause();
-                }
+            try {
+                is = inputStreamSupplier.apply(path);
+            } catch (UncheckedIOException | UndeclaredThrowableException ue) {
+                t = ue.getCause();
+            } catch (Throwable th) {
+                t = th;
             }
             final InputStream fis = is;
             PullPublisher<ByteBuffer> publisher;
@@ -298,12 +363,7 @@
 
         @Override
         public long contentLength() {
-            if (System.getSecurityManager() == null) {
-                return file.length();
-            } else {
-                PrivilegedAction<Long> pa = () -> file.length();
-                return AccessController.doPrivileged(pa, null, filePermissions);
-            }
+            return length;
         }
     }
 
@@ -313,6 +373,7 @@
     public static class StreamIterator implements Iterator<ByteBuffer> {
         final InputStream is;
         final Supplier<? extends ByteBuffer> bufSupplier;
+        private volatile boolean eof;
         volatile ByteBuffer nextBuffer;
         volatile boolean need2Read = true;
         volatile boolean haveNext;
@@ -331,6 +392,8 @@
 //        }
 
         private int read() {
+            if (eof)
+                return -1;
             nextBuffer = bufSupplier.get();
             nextBuffer.clear();
             byte[] buf = nextBuffer.array();
@@ -339,6 +402,7 @@
             try {
                 int n = is.read(buf, offset, cap);
                 if (n == -1) {
+                    eof = true;
                     is.close();
                     return -1;
                 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/java/net/httpclient/FilePublisher/FilePublisherPermsTest.java	Thu Mar 26 11:52:15 2020 +0000
@@ -0,0 +1,357 @@
+/*
+ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8235459
+ * @summary Confirm that HttpRequest.BodyPublishers#ofFile(Path)
+ *          works with changing permissions
+ *          policy 1: no custom permission
+ *          policy 2: custom permission for test classes
+ *          policy 3: custom permission for test classes and httpclient
+ * @modules java.base/sun.net.www.http
+ *          java.net.http/jdk.internal.net.http.common
+ *          java.net.http/jdk.internal.net.http.frame
+ *          java.net.http/jdk.internal.net.http.hpack
+ *          jdk.httpserver
+ * @library /test/lib ../http2/server
+ * @compile ../HttpServerAdapters.java
+ * @build jdk.test.lib.net.SimpleSSLContext SecureZipFSProvider
+ * @run testng/othervm/policy=FilePublisherPermsTest1.policy FilePublisherPermsTest
+ * @run testng/othervm/policy=FilePublisherPermsTest2.policy FilePublisherPermsTest
+ * @run testng/othervm/policy=FilePublisherPermsTest3.policy FilePublisherPermsTest
+ */
+
+import com.sun.net.httpserver.HttpServer;
+import com.sun.net.httpserver.HttpsConfigurator;
+import com.sun.net.httpserver.HttpsServer;
+import jdk.test.lib.net.SimpleSSLContext;
+import org.testng.annotations.AfterTest;
+import org.testng.annotations.BeforeTest;
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+
+import javax.net.ssl.SSLContext;
+import java.io.FileNotFoundException;
+import java.io.FilePermission;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpRequest.BodyPublisher;
+import java.net.http.HttpRequest.BodyPublishers;
+import java.net.http.HttpResponse;
+import java.nio.file.FileSystem;
+import java.nio.file.FileSystems;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.*;
+import java.util.Map;
+
+import static java.lang.System.out;
+import static java.net.http.HttpClient.Builder.NO_PROXY;
+import static org.testng.Assert.assertEquals;
+import static org.testng.Assert.fail;
+
+public class FilePublisherPermsTest implements HttpServerAdapters {
+
+    SSLContext sslContext;
+    HttpServerAdapters.HttpTestServer httpTestServer;    // HTTP/1.1      [ 4 servers ]
+    HttpServerAdapters.HttpTestServer httpsTestServer;   // HTTPS/1.1
+    HttpServerAdapters.HttpTestServer http2TestServer;   // HTTP/2 ( h2c )
+    HttpServerAdapters.HttpTestServer https2TestServer;  // HTTP/2 ( h2  )
+    String httpURI;
+    String httpsURI;
+    String http2URI;
+    String https2URI;
+
+    FileSystem zipFs;
+    static Path zipFsPath;
+    static Path defaultFsPath;
+
+    String policyFile;
+
+    // Default file system set up
+    static final String DEFAULT_FS_MSG = "default fs";
+
+    private Path defaultFsFile() throws Exception {
+        var file = Path.of("defaultFile.txt");
+        if (Files.notExists(file)) {
+            Files.createFile(file);
+            Files.writeString(file, DEFAULT_FS_MSG);
+        }
+        assertEquals(Files.readString(file), DEFAULT_FS_MSG);
+        return file;
+    }
+
+    @DataProvider(name = "defaultFsData")
+    public Object[][] defaultFsData() {
+        return new Object[][]{
+                { httpURI,   defaultFsPath },
+                { httpsURI,  defaultFsPath },
+                { http2URI,  defaultFsPath },
+                { https2URI, defaultFsPath },
+                { httpURI,   defaultFsPath },
+                { httpsURI,  defaultFsPath },
+                { http2URI,  defaultFsPath },
+                { https2URI, defaultFsPath },
+        };
+    }
+
+    @Test(dataProvider = "defaultFsData")
+    public void testDefaultFs(String uriString, Path path)
+            throws Exception {
+        out.printf("\n\n--- testDefaultFs(%s, %s): starting\n",
+                uriString, path);
+
+        if (System.getSecurityManager() != null) {
+            changePerms(path.toString(), "read,write,delete");
+            // Should not throw
+            BodyPublisher bodyPublisher = BodyPublishers.ofFile(path);
+            // Restrict permissions
+            changePerms(path.toString(), "delete");
+            try {
+                BodyPublishers.ofFile(path);
+                fail();
+            } catch (SecurityException e) {
+                out.println("Caught expected: " + e);
+            }
+            try {
+                send(uriString, bodyPublisher);
+                fail();
+            } catch (SecurityException e) {
+                out.println("Caught expected: " + e);
+            }
+        }
+    }
+
+    // Zip File system set up
+    static final String ZIP_FS_MSG = "zip fs";
+
+    static FileSystem newZipFs(Path zipFile) throws Exception {
+        return FileSystems.newFileSystem(zipFile, Map.of("create", "true"));
+    }
+
+    static FileSystem newSecureZipFs(Path zipFile) throws Exception {
+        FileSystem fs = newZipFs(zipFile);
+        return new SecureZipFSProvider(fs.provider()).newFileSystem(fs);
+    }
+
+    static Path zipFsFile(FileSystem fs) throws Exception {
+        var file = fs.getPath("fileInZip.txt");
+        if (Files.notExists(file)) {
+            Files.createFile(file);
+            Files.writeString(file, ZIP_FS_MSG);
+        }
+        assertEquals(Files.readString(file), ZIP_FS_MSG);
+        return file;
+    }
+
+    @DataProvider(name = "zipFsData")
+    public Object[][] zipFsData() {
+        return new Object[][]{
+                { httpURI,   zipFsPath },
+                { httpsURI,  zipFsPath },
+                { http2URI,  zipFsPath },
+                { https2URI, zipFsPath },
+                { httpURI,   zipFsPath },
+                { httpsURI,  zipFsPath },
+                { http2URI,  zipFsPath },
+                { https2URI, zipFsPath },
+        };
+    }
+
+    @Test(dataProvider = "zipFsData")
+    public void testZipFs(String uriString, Path path) throws Exception {
+        out.printf("\n\n--- testZipFsCustomPerm(%s, %s): starting\n", uriString, path);
+        if (System.getSecurityManager() != null) {
+            changePerms(path.toString(), "read,write,delete");
+
+            // Custom permission not sufficiently granted, expected to fail
+            if (!policyFile.contains("FilePublisherPermsTest3")) {
+                try {
+                    BodyPublishers.ofFile(path);
+                    fail();
+                } catch (SecurityException e) {
+                    out.println("Caught expected: " + e);
+                    return;
+                }
+            } else {
+                BodyPublisher bodyPublisher = BodyPublishers.ofFile(path);
+                send(uriString, bodyPublisher);
+                // Restrict permissions
+                changePerms(path.toString(), "delete");
+                try {
+                    BodyPublishers.ofFile(path);
+                    fail();
+                } catch (SecurityException e) {
+                    out.println("Caught expected: " + e);
+                }
+                try {
+                    send(uriString, bodyPublisher);
+                    fail();
+                } catch (SecurityException e) {
+                    out.println("Caught expected: " + e);
+                }
+            }
+        }
+    }
+
+    @Test
+    public void testFileNotFound() throws Exception {
+        out.printf("\n\n--- testFileNotFound(): starting\n");
+        var zipPath = Path.of("fileNotFound.zip");
+        changePerms(zipPath.toString(), "read,write,delete");
+        try (FileSystem fs = newZipFs(zipPath)) {
+            Path fileInZip = zipFsFile(fs);
+            Files.deleteIfExists(fileInZip);
+            BodyPublishers.ofFile(fileInZip);
+            fail();
+        } catch (FileNotFoundException e) {
+            out.println("Caught expected: " + e);
+        }
+        var path = Path.of("fileNotFound.txt");
+        changePerms(path.toString(), "read,write,delete");
+        try {
+            Files.deleteIfExists(path);
+            BodyPublishers.ofFile(path);
+            fail();
+        } catch (FileNotFoundException e) {
+            out.println("Caught expected: " + e);
+        }
+    }
+
+    private void send(String uriString, BodyPublisher bodyPublisher)
+        throws Exception {
+        HttpClient client = HttpClient.newBuilder()
+                        .proxy(NO_PROXY)
+                        .sslContext(sslContext)
+                        .build();
+        var req = HttpRequest.newBuilder(URI.create(uriString))
+                .POST(bodyPublisher)
+                .build();
+        client.send(req, HttpResponse.BodyHandlers.discarding());
+    }
+
+    private void changePerms(String path, String actions) {
+        Policy.setPolicy(new CustomPolicy(
+                new FilePermission(path, actions)
+        ));
+    }
+
+    static class CustomPolicy extends Policy {
+        static final Policy DEFAULT_POLICY = Policy.getPolicy();
+        final PermissionCollection perms = new Permissions();
+
+        CustomPolicy(Permission... permissions) {
+            java.util.Arrays.stream(permissions).forEach(perms::add);
+        }
+
+        public PermissionCollection getPermissions(ProtectionDomain domain) {
+            return perms;
+        }
+
+        public PermissionCollection getPermissions(CodeSource codesource) {
+            return perms;
+        }
+
+        public boolean implies(ProtectionDomain domain, Permission perm) {
+            // Ignore any existing permissions for test files
+            return perm.getName().equals(defaultFsPath.toString())
+                    || perm.getName().equals(zipFsPath.toString())
+                    ? perms.implies(perm)
+                    : perms.implies(perm) || DEFAULT_POLICY.implies(domain, perm);
+        }
+    }
+
+    static class HttpEchoHandler implements HttpServerAdapters.HttpTestHandler {
+        @Override
+        public void handle(HttpServerAdapters.HttpTestExchange t) throws IOException {
+            try (InputStream is = t.getRequestBody();
+                 OutputStream os = t.getResponseBody()) {
+                byte[] bytes = is.readAllBytes();
+                t.sendResponseHeaders(200, bytes.length);
+                os.write(bytes);
+            }
+        }
+    }
+
+    @BeforeTest
+    public void setup() throws Exception {
+        policyFile = System.getProperty("java.security.policy");
+        out.println(policyFile);
+
+        sslContext = new SimpleSSLContext().get();
+        if (sslContext == null)
+            throw new AssertionError("Unexpected null sslContext");
+
+        zipFs = newSecureZipFs(Path.of("file.zip"));
+        zipFsPath = zipFsFile(zipFs);
+        defaultFsPath = defaultFsFile();
+
+        InetSocketAddress sa =
+                new InetSocketAddress(InetAddress.getLoopbackAddress(), 0);
+
+        httpTestServer = HttpServerAdapters.HttpTestServer.of(HttpServer.create(sa, 0));
+        httpTestServer.addHandler(
+                new FilePublisherPermsTest.HttpEchoHandler(), "/http1/echo");
+        httpURI = "http://" + httpTestServer.serverAuthority() + "/http1/echo";
+
+        HttpsServer httpsServer = HttpsServer.create(sa, 0);
+        httpsServer.setHttpsConfigurator(new HttpsConfigurator(sslContext));
+        httpsTestServer = HttpServerAdapters.HttpTestServer.of(httpsServer);
+        httpsTestServer.addHandler(
+                new FilePublisherPermsTest.HttpEchoHandler(), "/https1/echo");
+        httpsURI = "https://" + httpsTestServer.serverAuthority() + "/https1/echo";
+
+        http2TestServer = HttpServerAdapters.HttpTestServer.of(
+                new Http2TestServer("localhost", false, 0));
+        http2TestServer.addHandler(
+                new FilePublisherPermsTest.HttpEchoHandler(), "/http2/echo");
+        http2URI = "http://" + http2TestServer.serverAuthority() + "/http2/echo";
+
+        https2TestServer = HttpServerAdapters.HttpTestServer.of(
+                new Http2TestServer("localhost", true, sslContext));
+        https2TestServer.addHandler(
+                new FilePublisherPermsTest.HttpEchoHandler(), "/https2/echo");
+        https2URI = "https://" + https2TestServer.serverAuthority() + "/https2/echo";
+
+        httpTestServer.start();
+        httpsTestServer.start();
+        http2TestServer.start();
+        https2TestServer.start();
+    }
+
+    @AfterTest
+    public void teardown() throws Exception {
+            httpTestServer.stop();
+            httpsTestServer.stop();
+            http2TestServer.stop();
+            https2TestServer.stop();
+            zipFs.close();
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/java/net/httpclient/FilePublisher/FilePublisherPermsTest1.policy	Thu Mar 26 11:52:15 2020 +0000
@@ -0,0 +1,76 @@
+//
+// Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+// DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+//
+// This code is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License version 2 only, as
+// published by the Free Software Foundation.
+//
+// This code is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+// version 2 for more details (a copy is included in the LICENSE file that
+// accompanied this code).
+//
+// You should have received a copy of the GNU General Public License version
+// 2 along with this work; if not, write to the Free Software Foundation,
+// Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+// or visit www.oracle.com if you need additional information or have any
+// questions.
+//
+
+// for JTwork/classes/0/test/lib/jdk/test/lib/net/SimpleSSLContext.class
+grant codeBase "file:${test.classes}/../../../../../test/lib/-" {
+    permission java.util.PropertyPermission "test.src.path", "read";
+    permission java.io.FilePermission "${test.src}/../../../../../lib/jdk/test/lib/net/testkeys", "read";
+};
+
+// for JTwork/classes/0/java/net/httpclient/http2/server/*
+grant codeBase "file:${test.classes}/../../../../../java/net/httpclient/http2/server/*" {
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.common";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.frame";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.hpack";
+    permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.http";
+
+    permission java.net.SocketPermission "localhost:*", "accept,resolve";
+    permission java.lang.RuntimePermission "modifyThread";
+};
+
+grant codeBase "file:${test.classes}/*" {
+    permission java.net.URLPermission "http://localhost:*/http1/echo", "POST";
+    permission java.net.URLPermission "https://localhost:*/https1/echo", "POST";
+    permission java.net.URLPermission "http://localhost:*/http2/echo", "POST";
+    permission java.net.URLPermission "https://localhost:*/https2/echo", "POST";
+    permission java.net.URLPermission "https://localhost:*/http1/echo", "GET";
+    permission java.net.URLPermission "https://localhost:*/https1/echo", "GET";
+    permission java.net.URLPermission "http://localhost:*/http2/echo", "GET";
+    permission java.net.URLPermission "https://localhost:*/https2/echo", "GET";
+
+    // file permissions
+    permission java.io.FilePermission "${user.dir}${/}defaultFile.txt", "read,write,delete";
+    permission java.io.FilePermission "${user.dir}${/}file.zip", "read,write,delete";
+
+    // needed to access FileSystemProvider
+    permission java.lang.RuntimePermission "fileSystemProvider";
+
+    // for permission changes
+    permission java.security.SecurityPermission "getPolicy";
+    permission java.security.SecurityPermission "setPolicy";
+
+    // needed to grant permission to the HTTP/2 server
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.common";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.frame";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.hpack";
+    permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.http";
+
+    // for HTTP/1.1 server logging
+    permission java.util.logging.LoggingPermission "control";
+
+    // needed to grant the HTTP servers
+    permission java.net.SocketPermission "localhost:*", "accept,resolve";
+
+    permission java.util.PropertyPermission "*", "read";
+    permission java.lang.RuntimePermission "modifyThread";
+};
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/java/net/httpclient/FilePublisher/FilePublisherPermsTest2.policy	Thu Mar 26 11:52:15 2020 +0000
@@ -0,0 +1,81 @@
+//
+// Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+// DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+//
+// This code is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License version 2 only, as
+// published by the Free Software Foundation.
+//
+// This code is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+// version 2 for more details (a copy is included in the LICENSE file that
+// accompanied this code).
+//
+// You should have received a copy of the GNU General Public License version
+// 2 along with this work; if not, write to the Free Software Foundation,
+// Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+// or visit www.oracle.com if you need additional information or have any
+// questions.
+//
+
+// same as FilePublisherPermsTest1.policy with custom permission for test classes
+
+// for JTwork/classes/0/test/lib/jdk/test/lib/net/SimpleSSLContext.class
+grant codeBase "file:${test.classes}/../../../../../test/lib/-" {
+    permission java.util.PropertyPermission "test.src.path", "read";
+    permission java.io.FilePermission "${test.src}/../../../../../lib/jdk/test/lib/net/testkeys", "read";
+};
+
+// for JTwork/classes/0/java/net/httpclient/http2/server/*
+grant codeBase "file:${test.classes}/../../../../../java/net/httpclient/http2/server/*" {
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.common";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.frame";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.hpack";
+    permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.http";
+
+    permission java.net.SocketPermission "localhost:*", "accept,resolve";
+    permission java.lang.RuntimePermission "modifyThread";
+};
+
+grant codeBase "file:${test.classes}/*" {
+    permission java.net.URLPermission "http://localhost:*/http1/echo", "POST";
+    permission java.net.URLPermission "https://localhost:*/https1/echo", "POST";
+    permission java.net.URLPermission "http://localhost:*/http2/echo", "POST";
+    permission java.net.URLPermission "https://localhost:*/https2/echo", "POST";
+    permission java.net.URLPermission "https://localhost:*/http1/echo", "GET";
+    permission java.net.URLPermission "https://localhost:*/https1/echo", "GET";
+    permission java.net.URLPermission "http://localhost:*/http2/echo", "GET";
+    permission java.net.URLPermission "https://localhost:*/https2/echo", "GET";
+
+    // file permissions
+    permission java.io.FilePermission "${user.dir}${/}defaultFile.txt", "read,write,delete";
+    permission java.io.FilePermission "${user.dir}${/}file.zip", "read,write,delete";
+
+    // custom permission for testing
+    permission java.lang.RuntimePermission "customPermission";
+
+    // needed to access FileSystemProvider
+    permission java.lang.RuntimePermission "fileSystemProvider";
+
+    // for permission changes
+    permission java.security.SecurityPermission "getPolicy";
+    permission java.security.SecurityPermission "setPolicy";
+
+    // needed to grant permission to the HTTP/2 server
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.common";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.frame";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.hpack";
+    permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.http";
+
+    // for HTTP/1.1 server logging
+    permission java.util.logging.LoggingPermission "control";
+
+    // needed to grant the HTTP servers
+    permission java.net.SocketPermission "localhost:*", "accept,resolve";
+
+    permission java.util.PropertyPermission "*", "read";
+    permission java.lang.RuntimePermission "modifyThread";
+};
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/java/net/httpclient/FilePublisher/FilePublisherPermsTest3.policy	Thu Mar 26 11:52:15 2020 +0000
@@ -0,0 +1,84 @@
+//
+// Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+// DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+//
+// This code is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License version 2 only, as
+// published by the Free Software Foundation.
+//
+// This code is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+// version 2 for more details (a copy is included in the LICENSE file that
+// accompanied this code).
+//
+// You should have received a copy of the GNU General Public License version
+// 2 along with this work; if not, write to the Free Software Foundation,
+// Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+// or visit www.oracle.com if you need additional information or have any
+// questions.
+//
+
+// same as FilePublisherPermsTest1.policy with additional custom permission
+// for test classes and HttpClient (in java.net.http)
+
+grant codeBase "jrt:/java.net.http" {
+    permission java.lang.RuntimePermission "customPermission";
+};
+
+// for JTwork/classes/0/test/lib/jdk/test/lib/net/SimpleSSLContext.class
+grant codeBase "file:${test.classes}/../../../../../test/lib/-" {
+    permission java.util.PropertyPermission "test.src.path", "read";
+    permission java.io.FilePermission "${test.src}/../../../../../lib/jdk/test/lib/net/testkeys", "read";
+};
+
+// for JTwork/classes/0/java/net/httpclient/http2/server/*
+grant codeBase "file:${test.classes}/../../../../../java/net/httpclient/http2/server/*" {
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.common";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.frame";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.hpack";
+    permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.http";
+
+    permission java.net.SocketPermission "localhost:*", "accept,resolve";
+    permission java.lang.RuntimePermission "modifyThread";
+};
+
+grant codeBase "file:${test.classes}/*" {
+    permission java.net.URLPermission "http://localhost:*/http1/echo", "POST";
+    permission java.net.URLPermission "https://localhost:*/https1/echo", "POST";
+    permission java.net.URLPermission "http://localhost:*/http2/echo", "POST";
+    permission java.net.URLPermission "https://localhost:*/https2/echo", "POST";
+    permission java.net.URLPermission "https://localhost:*/http1/echo", "GET";
+    permission java.net.URLPermission "https://localhost:*/https1/echo", "GET";
+    permission java.net.URLPermission "http://localhost:*/http2/echo", "GET";
+    permission java.net.URLPermission "https://localhost:*/https2/echo", "GET";
+
+    // file permissions
+    permission java.io.FilePermission "${user.dir}${/}defaultFile.txt", "read,write,delete";
+    permission java.io.FilePermission "${user.dir}${/}file.zip", "read,write,delete";
+    permission java.lang.RuntimePermission "customPermission";
+
+    // needed to access FileSystemProvider
+    permission java.lang.RuntimePermission "fileSystemProvider";
+
+    // for permission changes
+    permission java.security.SecurityPermission "getPolicy";
+    permission java.security.SecurityPermission "setPolicy";
+
+    // needed to grant permission to the HTTP/2 server
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.common";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.frame";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.hpack";
+    permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.http";
+
+    // for HTTP/1.1 server logging
+    permission java.util.logging.LoggingPermission "control";
+
+    // needed to grant the HTTP servers
+    permission java.net.SocketPermission "localhost:*", "accept,resolve";
+
+    permission java.util.PropertyPermission "*", "read";
+    permission java.lang.RuntimePermission "modifyThread";
+};
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/java/net/httpclient/FilePublisher/FilePublisherTest.java	Thu Mar 26 11:52:15 2020 +0000
@@ -0,0 +1,251 @@
+/*
+ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8235459
+ * @summary Confirm that HttpRequest.BodyPublishers#ofFile(Path)
+ *          assumes the default file system
+ * @modules java.base/sun.net.www.http
+ *          java.net.http/jdk.internal.net.http.common
+ *          java.net.http/jdk.internal.net.http.frame
+ *          java.net.http/jdk.internal.net.http.hpack
+ *          jdk.httpserver
+ * @library /test/lib ../http2/server
+ * @compile ../HttpServerAdapters.java
+ * @build jdk.test.lib.net.SimpleSSLContext
+ * @run testng/othervm FilePublisherTest
+ * @run testng/othervm/java.security.policy=FilePublisherTest.policy FilePublisherTest
+ */
+
+import com.sun.net.httpserver.HttpServer;
+import com.sun.net.httpserver.HttpsConfigurator;
+import com.sun.net.httpserver.HttpsServer;
+import jdk.test.lib.net.SimpleSSLContext;
+import org.testng.annotations.AfterTest;
+import org.testng.annotations.BeforeTest;
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+
+import javax.net.ssl.SSLContext;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpRequest.BodyPublishers;
+import java.net.http.HttpResponse;
+import java.nio.file.FileSystem;
+import java.nio.file.FileSystems;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Map;
+
+import static java.lang.System.out;
+import static java.net.http.HttpClient.Builder.NO_PROXY;
+import static org.testng.Assert.assertEquals;
+
+public class FilePublisherTest implements HttpServerAdapters {
+    SSLContext sslContext;
+    HttpServerAdapters.HttpTestServer httpTestServer;    // HTTP/1.1      [ 4 servers ]
+    HttpServerAdapters.HttpTestServer httpsTestServer;   // HTTPS/1.1
+    HttpServerAdapters.HttpTestServer http2TestServer;   // HTTP/2 ( h2c )
+    HttpServerAdapters.HttpTestServer https2TestServer;  // HTTP/2 ( h2  )
+    String httpURI;
+    String httpsURI;
+    String http2URI;
+    String https2URI;
+
+    FileSystem zipFs;
+    Path defaultFsPath;
+    Path zipFsPath;
+
+    // Default file system set up
+    static final String DEFAULT_FS_MSG = "default fs";
+
+    static Path defaultFsFile() throws Exception {
+        var file = Path.of("defaultFile.txt");
+        if (Files.notExists(file)) {
+            Files.createFile(file);
+            Files.writeString(file, DEFAULT_FS_MSG);
+        }
+        assertEquals(Files.readString(file), DEFAULT_FS_MSG);
+        return file;
+    }
+
+    @DataProvider(name = "defaultFsData")
+    public Object[][] defaultFsData() {
+        return new Object[][]{
+                { httpURI,   defaultFsPath, DEFAULT_FS_MSG, true  },
+                { httpsURI,  defaultFsPath, DEFAULT_FS_MSG, true  },
+                { http2URI,  defaultFsPath, DEFAULT_FS_MSG, true  },
+                { https2URI, defaultFsPath, DEFAULT_FS_MSG, true  },
+                { httpURI,   defaultFsPath, DEFAULT_FS_MSG, false },
+                { httpsURI,  defaultFsPath, DEFAULT_FS_MSG, false },
+                { http2URI,  defaultFsPath, DEFAULT_FS_MSG, false },
+                { https2URI, defaultFsPath, DEFAULT_FS_MSG, false },
+        };
+    }
+
+    @Test(dataProvider = "defaultFsData")
+    public void testDefaultFs(String uriString,
+                              Path path,
+                              String expectedMsg,
+                              boolean sameClient) throws Exception {
+        out.printf("\n\n--- testDefaultFs(%s, %s, \"%s\", %b): starting\n",
+                uriString, path, expectedMsg, sameClient);
+        send(uriString, path, expectedMsg, sameClient);
+    }
+
+    // Zip file system set up
+    static final String ZIP_FS_MSG = "zip fs";
+
+    static FileSystem newZipFs() throws Exception {
+        Path zipFile = Path.of("file.zip");
+        return FileSystems.newFileSystem(zipFile, Map.of("create", "true"));
+    }
+
+    static Path zipFsFile(FileSystem fs) throws Exception {
+        var file = fs.getPath("fileInZip.txt");
+        if (Files.notExists(file)) {
+            Files.createFile(file);
+            Files.writeString(file, ZIP_FS_MSG);
+        }
+        assertEquals(Files.readString(file), ZIP_FS_MSG);
+        return file;
+    }
+
+    @DataProvider(name = "zipFsData")
+    public Object[][] zipFsData() {
+        return new Object[][]{
+                { httpURI,   zipFsPath, ZIP_FS_MSG, true  },
+                { httpsURI,  zipFsPath, ZIP_FS_MSG, true  },
+                { http2URI,  zipFsPath, ZIP_FS_MSG, true  },
+                { https2URI, zipFsPath, ZIP_FS_MSG, true  },
+                { httpURI,   zipFsPath, ZIP_FS_MSG, false },
+                { httpsURI,  zipFsPath, ZIP_FS_MSG, false },
+                { http2URI,  zipFsPath, ZIP_FS_MSG, false },
+                { https2URI, zipFsPath, ZIP_FS_MSG, false },
+        };
+    }
+
+    @Test(dataProvider = "zipFsData")
+    public void testZipFs(String uriString,
+                          Path path,
+                          String expectedMsg,
+                          boolean sameClient) throws Exception {
+        out.printf("\n\n--- testZipFs(%s, %s, \"%s\", %b): starting\n",
+                uriString, path, expectedMsg, sameClient);
+        send(uriString, path, expectedMsg, sameClient);
+    }
+
+    private static final int ITERATION_COUNT = 3;
+
+    private void send(String uriString,
+                      Path path,
+                      String expectedMsg,
+                      boolean sameClient)
+            throws Exception {
+        HttpClient client = null;
+
+        for (int i = 0; i < ITERATION_COUNT; i++) {
+            if (!sameClient || client == null) {
+                client = HttpClient.newBuilder()
+                        .proxy(NO_PROXY)
+                        .sslContext(sslContext)
+                        .build();
+            }
+            var req = HttpRequest.newBuilder(URI.create(uriString))
+                .POST(BodyPublishers.ofFile(path))
+                .build();
+            var resp = client.send(req, HttpResponse.BodyHandlers.ofString());
+            out.println("Got response: " + resp);
+            out.println("Got body: " + resp.body());
+            assertEquals(resp.statusCode(), 200);
+            assertEquals(resp.body(), expectedMsg);
+        }
+    }
+
+    @BeforeTest
+    public void setup() throws Exception {
+        sslContext = new SimpleSSLContext().get();
+        if (sslContext == null)
+            throw new AssertionError("Unexpected null sslContext");
+
+        defaultFsPath = defaultFsFile();
+        zipFs = newZipFs();
+        zipFsPath = zipFsFile(zipFs);
+
+        InetSocketAddress sa =
+                new InetSocketAddress(InetAddress.getLoopbackAddress(), 0);
+
+        httpTestServer = HttpServerAdapters.HttpTestServer.of(HttpServer.create(sa, 0));
+        httpTestServer.addHandler(new HttpEchoHandler(), "/http1/echo");
+        httpURI = "http://" + httpTestServer.serverAuthority() + "/http1/echo";
+
+        HttpsServer httpsServer = HttpsServer.create(sa, 0);
+        httpsServer.setHttpsConfigurator(new HttpsConfigurator(sslContext));
+        httpsTestServer = HttpServerAdapters.HttpTestServer.of(httpsServer);
+        httpsTestServer.addHandler(new HttpEchoHandler(), "/https1/echo");
+        httpsURI = "https://" + httpsTestServer.serverAuthority() + "/https1/echo";
+
+        http2TestServer = HttpServerAdapters.HttpTestServer.of(
+                new Http2TestServer("localhost", false, 0));
+        http2TestServer.addHandler(new HttpEchoHandler(), "/http2/echo");
+        http2URI = "http://" + http2TestServer.serverAuthority() + "/http2/echo";
+
+        https2TestServer = HttpServerAdapters.HttpTestServer.of(
+                new Http2TestServer("localhost", true, sslContext));
+        https2TestServer.addHandler(new HttpEchoHandler(), "/https2/echo");
+        https2URI = "https://" + https2TestServer.serverAuthority() + "/https2/echo";
+
+        httpTestServer.start();
+        httpsTestServer.start();
+        http2TestServer.start();
+        https2TestServer.start();
+    }
+
+    @AfterTest
+    public void teardown() throws Exception {
+        httpTestServer.stop();
+        httpsTestServer.stop();
+        http2TestServer.stop();
+        https2TestServer.stop();
+        zipFs.close();
+    }
+
+    static class HttpEchoHandler implements HttpServerAdapters.HttpTestHandler {
+        @Override
+        public void handle(HttpServerAdapters.HttpTestExchange t) throws IOException {
+            try (InputStream is = t.getRequestBody();
+                 OutputStream os = t.getResponseBody()) {
+                byte[] bytes = is.readAllBytes();
+                t.sendResponseHeaders(200, bytes.length);
+                os.write(bytes);
+            }
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/java/net/httpclient/FilePublisher/FilePublisherTest.policy	Thu Mar 26 11:52:15 2020 +0000
@@ -0,0 +1,69 @@
+//
+// Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+// DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+//
+// This code is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License version 2 only, as
+// published by the Free Software Foundation.
+//
+// This code is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+// version 2 for more details (a copy is included in the LICENSE file that
+// accompanied this code).
+//
+// You should have received a copy of the GNU General Public License version
+// 2 along with this work; if not, write to the Free Software Foundation,
+// Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+// or visit www.oracle.com if you need additional information or have any
+// questions.
+//
+
+// for JTwork/classes/0/test/lib/jdk/test/lib/net/SimpleSSLContext.class
+grant codeBase "file:${test.classes}/../../../../../test/lib/-" {
+    permission java.util.PropertyPermission "test.src.path", "read";
+    permission java.io.FilePermission "${test.src}/../../../../../lib/jdk/test/lib/net/testkeys", "read";
+};
+
+// for JTwork/classes/0/java/net/httpclient/http2/server/*
+grant codeBase "file:${test.classes}/../../../../../java/net/httpclient/http2/server/*" {
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.common";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.frame";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.hpack";
+    permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.http";
+
+    permission java.net.SocketPermission "localhost:*", "accept,resolve";
+    permission java.lang.RuntimePermission "modifyThread";
+};
+
+grant codeBase "file:${test.classes}/*" {
+    permission java.net.URLPermission "http://localhost:*/http1/echo", "POST";
+    permission java.net.URLPermission "https://localhost:*/https1/echo", "POST";
+    permission java.net.URLPermission "http://localhost:*/http2/echo", "POST";
+    permission java.net.URLPermission "https://localhost:*/https2/echo", "POST";
+    permission java.net.URLPermission "https://localhost:*/http1/echo", "GET";
+    permission java.net.URLPermission "https://localhost:*/https1/echo", "GET";
+    permission java.net.URLPermission "http://localhost:*/http2/echo", "GET";
+    permission java.net.URLPermission "https://localhost:*/https2/echo", "GET";
+
+    // file permissions
+    permission java.io.FilePermission "${user.dir}${/}defaultFile.txt", "read,write,delete";
+    permission java.io.FilePermission "${user.dir}${/}file.zip", "read,write,delete";
+
+    // needed to grant permission to the HTTP/2 server
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.common";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.frame";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.net.http.hpack";
+    permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.http";
+
+    // for HTTP/1.1 server logging
+    permission java.util.logging.LoggingPermission "control";
+
+    // needed to grant the HTTP servers
+    permission java.net.SocketPermission "localhost:*", "accept,resolve";
+
+    permission java.util.PropertyPermission "*", "read";
+    permission java.lang.RuntimePermission "modifyThread";
+};
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/java/net/httpclient/FilePublisher/SecureZipFSProvider.java	Thu Mar 26 11:52:15 2020 +0000
@@ -0,0 +1,453 @@
+/*
+ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URI;
+import java.nio.channels.FileChannel;
+import java.nio.channels.SeekableByteChannel;
+import java.nio.file.AccessMode;
+import java.nio.file.CopyOption;
+import java.nio.file.DirectoryStream;
+import java.nio.file.FileStore;
+import java.nio.file.FileSystem;
+import java.nio.file.LinkOption;
+import java.nio.file.OpenOption;
+import java.nio.file.Path;
+import java.nio.file.PathMatcher;
+import java.nio.file.ProviderMismatchException;
+import java.nio.file.WatchEvent;
+import java.nio.file.WatchKey;
+import java.nio.file.WatchService;
+import java.nio.file.attribute.BasicFileAttributes;
+import java.nio.file.attribute.FileAttribute;
+import java.nio.file.attribute.FileAttributeView;
+import java.nio.file.attribute.UserPrincipalLookupService;
+import java.nio.file.spi.FileSystemProvider;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class SecureZipFSProvider extends FileSystemProvider {
+    private final ConcurrentHashMap<FileSystem, SecureZipFS> map =
+            new ConcurrentHashMap<>();
+    private final FileSystemProvider defaultProvider;
+
+    public SecureZipFSProvider(FileSystemProvider provider) {
+        defaultProvider = provider;
+    }
+
+    @Override
+    public String getScheme() {
+        return "jar";
+    }
+
+    public FileSystem newFileSystem(FileSystem fs) {
+        return map.computeIfAbsent(fs, (sfs) ->
+                new SecureZipFS(this, fs));
+    }
+
+    @Override
+    public FileSystem newFileSystem(URI uri, Map<String, ?> env)
+            throws IOException {
+        FileSystem fs = defaultProvider.newFileSystem(uri, env);
+        return map.computeIfAbsent(fs, (sfs) ->
+                new SecureZipFS(this, fs)
+        );
+    }
+
+    @Override
+    public FileSystem getFileSystem(URI uri) {
+        return map.get(defaultProvider.getFileSystem(uri));
+    }
+
+    @Override
+    public Path getPath(URI uri) {
+        Path p = defaultProvider.getPath(uri);
+        return map.get(defaultProvider.getFileSystem(uri)).wrap(p);
+    }
+
+    @Override
+    public InputStream newInputStream(Path path, OpenOption... options)
+            throws IOException {
+        Path p = toTestPath(path).unwrap();
+
+        // Added permission checks before opening the file
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            sm.checkPermission(new RuntimePermission("customPermission"));
+            sm.checkRead(p.toString());
+        }
+        return defaultProvider.newInputStream(p, options);
+    }
+
+    @Override
+    public SeekableByteChannel newByteChannel(Path path,
+                                              Set<? extends OpenOption> options,
+                                              FileAttribute<?>... attrs)
+            throws IOException {
+        Path p = toTestPath(path).unwrap();
+        return defaultProvider.newByteChannel(p, options, attrs);
+    }
+
+    @Override
+    public FileChannel newFileChannel(Path path,
+                                      Set<? extends OpenOption> options,
+                                      FileAttribute<?>... attrs)
+            throws IOException {
+        Path p = toTestPath(path).unwrap();
+        return defaultProvider.newFileChannel(p, options, attrs);
+    }
+
+
+    @Override
+    public DirectoryStream<Path> newDirectoryStream(Path dir,
+                                                    DirectoryStream.Filter<? super Path> filter) {
+        throw new RuntimeException("not implemented");
+    }
+
+    @Override
+    public void createDirectory(Path dir, FileAttribute<?>... attrs)
+            throws IOException {
+        Path p = toTestPath(dir).unwrap();
+        defaultProvider.createDirectory(p, attrs);
+    }
+
+    @Override
+    public void delete(Path path) throws IOException {
+        Path p = toTestPath(path).unwrap();
+        defaultProvider.delete(p);
+    }
+
+    @Override
+    public void copy(Path source, Path target, CopyOption... options)
+            throws IOException {
+        Path sp = toTestPath(source).unwrap();
+        Path tp = toTestPath(target).unwrap();
+        defaultProvider.copy(sp, tp, options);
+    }
+
+    @Override
+    public void move(Path source, Path target, CopyOption... options)
+            throws IOException {
+        Path sp = toTestPath(source).unwrap();
+        Path tp = toTestPath(target).unwrap();
+        defaultProvider.move(sp, tp, options);
+    }
+
+    @Override
+    public boolean isSameFile(Path path, Path path2)
+            throws IOException {
+        Path p = toTestPath(path).unwrap();
+        Path p2 = toTestPath(path2).unwrap();
+        return defaultProvider.isSameFile(p, p2);
+    }
+
+    @Override
+    public boolean isHidden(Path path) throws IOException {
+        Path p = toTestPath(path).unwrap();
+        return defaultProvider.isHidden(p);
+    }
+
+    @Override
+    public FileStore getFileStore(Path path) throws IOException {
+        Path p = toTestPath(path).unwrap();
+        return defaultProvider.getFileStore(p);
+    }
+
+    @Override
+    public void checkAccess(Path path, AccessMode... modes) throws IOException {
+        Path p = toTestPath(path).unwrap();
+        defaultProvider.checkAccess(p, modes);
+    }
+
+    @Override
+    public <V extends FileAttributeView> V getFileAttributeView(Path path,
+                                                                Class<V> type,
+                                                                LinkOption... options) {
+        Path p = toTestPath(path).unwrap();
+        return defaultProvider.getFileAttributeView(p, type, options);
+    }
+
+    @Override
+    public <A extends BasicFileAttributes> A readAttributes(Path path,
+                                                            Class<A> type,
+                                                            LinkOption... options)
+            throws IOException {
+        Path p = toTestPath(path).unwrap();
+        return defaultProvider.readAttributes(p, type, options);
+    }
+
+    @Override
+    public Map<String, Object> readAttributes(Path path,
+                                              String attributes,
+                                              LinkOption... options)
+            throws IOException {
+        Path p = toTestPath(path).unwrap();
+        return defaultProvider.readAttributes(p, attributes, options);
+    }
+
+    @Override
+    public void setAttribute(Path path, String attribute,
+                             Object value, LinkOption... options)
+            throws IOException {
+        Path p = toTestPath(path).unwrap();
+        defaultProvider.setAttribute(p, attribute, options);
+    }
+
+    // Checks that the given file is a TestPath
+    static TestPath toTestPath(Path obj) {
+        if (obj == null)
+            throw new NullPointerException();
+        if (!(obj instanceof TestPath))
+            throw new ProviderMismatchException();
+        return (TestPath) obj;
+    }
+
+    static class SecureZipFS extends FileSystem {
+        private final SecureZipFSProvider provider;
+        private final FileSystem delegate;
+
+        public SecureZipFS(SecureZipFSProvider provider, FileSystem delegate) {
+            this.provider = provider;
+            this.delegate = delegate;
+        }
+
+        Path wrap(Path path) {
+            return (path != null) ? new TestPath(this, path) : null;
+        }
+
+        Path unwrap(Path wrapper) {
+            if (wrapper == null)
+                throw new NullPointerException();
+            if (!(wrapper instanceof TestPath))
+                throw new ProviderMismatchException();
+            return ((TestPath) wrapper).unwrap();
+        }
+
+        @Override
+        public FileSystemProvider provider() {
+            return provider;
+        }
+
+        @Override
+        public void close() throws IOException {
+            delegate.close();
+        }
+
+        @Override
+        public boolean isOpen() {
+            return delegate.isOpen();
+        }
+
+        @Override
+        public boolean isReadOnly() {
+            return delegate.isReadOnly();
+        }
+
+        @Override
+        public String getSeparator() {
+            return delegate.getSeparator();
+        }
+
+        @Override
+        public Iterable<Path> getRootDirectories() {
+            return delegate.getRootDirectories();
+        }
+
+        @Override
+        public Iterable<FileStore> getFileStores() {
+            return delegate.getFileStores();
+        }
+
+        @Override
+        public Set<String> supportedFileAttributeViews() {
+            return delegate.supportedFileAttributeViews();
+        }
+
+        @Override
+        public Path getPath(String first, String... more) {
+            return wrap(delegate.getPath(first, more));
+        }
+
+        @Override
+        public PathMatcher getPathMatcher(String syntaxAndPattern) {
+            return delegate.getPathMatcher(syntaxAndPattern);
+        }
+
+        @Override
+        public UserPrincipalLookupService getUserPrincipalLookupService() {
+            return delegate.getUserPrincipalLookupService();
+        }
+
+        @Override
+        public WatchService newWatchService() throws IOException {
+            return delegate.newWatchService();
+        }
+    }
+
+    static class TestPath implements Path {
+        private final SecureZipFS fs;
+        private final Path delegate;
+
+        TestPath(SecureZipFS fs, Path delegate) {
+            this.fs = fs;
+            this.delegate = delegate;
+        }
+
+        Path unwrap() {
+            return delegate;
+        }
+
+        @Override
+        public SecureZipFS getFileSystem() {
+            return fs;
+        }
+
+        @Override
+        public boolean isAbsolute() {
+            return delegate.isAbsolute();
+        }
+
+        @Override
+        public Path getRoot() {
+            return fs.wrap(delegate.getRoot());
+        }
+
+        @Override
+        public Path getFileName() {
+            return fs.wrap(delegate.getFileName());
+        }
+
+        @Override
+        public Path getParent() {
+            return fs.wrap(delegate.getParent());
+        }
+
+        @Override
+        public int getNameCount() {
+            return delegate.getNameCount();
+        }
+
+        @Override
+        public Path getName(int index) {
+            return fs.wrap(delegate.getName(index));
+        }
+
+        @Override
+        public Path subpath(int beginIndex, int endIndex) {
+            return fs.wrap(delegate.subpath(beginIndex, endIndex));
+        }
+
+        @Override
+        public boolean startsWith(Path other) {
+            return delegate.startsWith(other);
+        }
+
+        @Override
+        public boolean endsWith(Path other) {
+            return delegate.endsWith(other);
+        }
+
+        @Override
+        public Path normalize() {
+            return fs.wrap(delegate.normalize());
+        }
+
+        @Override
+        public Path resolve(Path other) {
+            return fs.wrap(delegate.resolve(fs.wrap(other)));
+        }
+
+        @Override
+        public Path relativize(Path other) {
+            return fs.wrap(delegate.relativize(fs.wrap(other)));
+        }
+
+        @Override
+        public URI toUri() {
+            String ssp = delegate.toUri().getSchemeSpecificPart();
+            return URI.create(fs.provider().getScheme() + ":" + ssp);
+        }
+
+        @Override
+        public Path toAbsolutePath() {
+            return fs.wrap(delegate.toAbsolutePath());
+        }
+
+        @Override
+        public Path toRealPath(LinkOption... options) throws IOException {
+            return fs.wrap(delegate.toRealPath(options));
+        }
+
+        @Override
+        public WatchKey register(WatchService watcher,
+                                 WatchEvent.Kind<?>[] events,
+                                 WatchEvent.Modifier... modifiers)
+                throws IOException {
+            return delegate.register(watcher, events, modifiers);
+        }
+
+        @Override
+        public Iterator<Path> iterator() {
+            final Iterator<Path> itr = delegate.iterator();
+            return new Iterator<>() {
+                @Override
+                public boolean hasNext() {
+                    return itr.hasNext();
+                }
+
+                @Override
+                public Path next() {
+                    return fs.wrap(itr.next());
+                }
+
+                @Override
+                public void remove() {
+                    itr.remove();
+                }
+            };
+        }
+
+        @Override
+        public int compareTo(Path other) {
+            return delegate.compareTo(fs.unwrap(other));
+        }
+
+        @Override
+        public int hashCode() {
+            return delegate.hashCode();
+        }
+
+        @Override
+        public boolean equals(Object other) {
+            return other instanceof TestPath && delegate.equals(fs.unwrap((TestPath) other));
+        }
+
+        @Override
+        public String toString() {
+            return delegate.toString();
+        }
+    }
+}