8268349: Provide clear run-time warnings about Security Manager deprecation

[wangweij]

More loudly and precise warning messages when a security manager is either enabled at startup or installed at runtime.

This is new PR for the openjdk/jdk17 repo copied from openjdk/jdk#4400. A new commit is added.

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed

Issue

• JDK-8268349: Provide clear run-time warnings about Security Manager deprecation ⚠️ Issue is not open.

Reviewers

• Lance Andersen (@LanceAndersen - Reviewer) ⚠️ Review applies to cb732f9
• Sean Mullan (@seanjmullan - Reviewer) ⚠️ Review applies to 2d5b1ba
• Alan Bateman (@AlanBateman - Reviewer) ⚠️ Review applies to 2d5b1ba

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk17 pull/13/head:pull/13
$ git checkout pull/13

Update a local copy of the PR:
$ git checkout pull/13
$ git pull https://git.openjdk.java.net/jdk17 pull/13/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 13

View PR using the GUI difftool:
$ git pr show -t 13

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk17/pull/13.diff

[bridgekeeper]

👋 Welcome back weijun! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[wangweij]

/label add security
/csr needed

[openjdk]

@wangweij
The security label was successfully added.

[openjdk]

@wangweij this pull request will not be integrated until the CSR request JDK-8268392 for issue JDK-8268349 has been approved.

[mlbridge]

Webrevs

• 05: Full - Incremental (885a0072)
• 04: Full - Incremental (1e1e7221)
• 03: Full - Incremental (2d5b1ba5)
• 02: Full - Incremental (cb732f99)
• 01: Full - Incremental (c62dff99)
• 00: Full (a8fc259e)

[seanjmullan]

This should probably have 8268349 in the @bug line.

[wangweij]

Fixed in new commit.

[seanjmullan]

Why did this line need to be removed?

[wangweij]

This is where the setSecurityManager method is called again when a security manager has already been installed, and the getProtectionDomain permission is needed. While I can add the new permission into the policy file, my understanding is that this line was just a clean-up and the test was about implementation of ProtectionDomain::toString (esp the seeAllp method called by it) when debug is on.

[seanjmullan]

Ok, thanks for the explanation. I think it should be ok to remove this line then.

[AlanBateman]

Implementation changes/text is okay.

[AlanBateman]

I'd probably use "initial" rather than "original" here but okay. You can drop setting it to null as that is its default value.

[wangweij]

Will do. Thanks.

[wangweij]

A new commit. Much more exact checking of various warning messages.

[jaikiran]

Hello Weijun,

Given that the codeSource() method above is allowed to return null, there could be a case where the warning message printed would be something like:

WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by foo.bar.Hello (null)
WARNING: Please consider reporting this to the maintainers of foo.bar.Hello
WARNING: System::setSecurityManager will be removed in a future release

Would that be OK or do you think the presence of "(null)" be unnecessary and confusing? Maybe in such cases that line should just say "System::setSecurityManager has been called by foo.bar.Hello"?

Another minor nit - the variable is named signature which initially gave me an impression that it was the method signature of the caller code, but that isn't the case. Should this variable be renamed perhaps?

[wangweij]

Good catches. Will fix it. Thanks.

[jaikiran]

Hello Sean, Weijung,

From what I have known, the Java/JDK code has always taken extra precaution when it comes to printing out potentially sensitive details like IP addresses and paths to file, like jar files in the log messages or exception stacktraces. In fact, one of the annoying things about some of the error messages that the JarFile API throws is that it doesn't even print out the jar file name, let alone the full path of the jar file which ran into issues. At least that was the case, unless that has changed in recent times. Furthermore, as you will surely know, to print out these details there's an security property which needs to be explicitly enabled ("jdk.includeInExceptions") with the right values.

Given all that, do you think that we should be printing the jar file paths in this WARNING message by default? I read the linked CSR, but I didn't see why the location of the jar or the name of the jar would be useful in this warning message. As long as the caller class (and perhaps the caller method) is printed, I think that should be enough of a summary on what's triggering this warning.

[mlbridge]

Mailing list message from Alan Bateman on security-dev:

On 18/06/2021 03:51, Jaikiran Pai wrote:

:
Given all that, do you think that we should be printing the jar file paths in this WARNING message by default? I read the linked CSR, but I didn't see why the location of the jar or the name of the jar would be useful in this warning message. As long as the caller class (and perhaps the caller method) is printed, I think that should be enough of a summary on what's triggering this warning.

It's not hugely different to the "Illegal reflective access" warnings
except I wouldn't expect many libraries to call setSecurityManager in a
running system. Instead, it tends to be the main application that
installs the SM at startup. However if code in a library were to call it
then it useful to identify where that code is.

-Alan.

[wangweij]

/csr needed

[openjdk]

@wangweij an approved CSR request is already required for this pull request.

[wangweij]

/integrate

[openjdk]

@wangweij This PR has not yet been marked as ready for integration.

[wangweij]

/csr unneeded

[wangweij]

/integrate

[openjdk]

@wangweij determined that a CSR request is not needed for this pull request.

[openjdk]

@wangweij This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8268349: Provide clear run-time warnings about Security Manager deprecation

Reviewed-by: lancea, mullan, alanb

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 84 new commits pushed to the master branch:

• 4099810: 8268293: VectorAPI cast operation on mask and shuffle is broken
• e2d7ec3: 8267100: [BACKOUT] JDK-8196415 Disable SHA-1 Signed JARs
• d3ad8cd: 8268672: C2: assert(!loop->is_member(u_loop)) failed: can be in outer loop or out of both loops only
• f25e719: 8268717: Upstream: 8268673: Stack walk across optimized entry frame on fresh native thread fails
• 22ebd19: 8268362: [REDO] C2 crash when compile negative Arrays.copyOf length after loop
• f8df953: 8268702: JFR diagnostic commands lack argument descriptors when viewed using Platform MBean Server
• c294ae4: 8267042: bug in monitor locking/unlocking on ARM32 C1 due to uninitialized BasicObjectLock::_displaced_header
• b358b54: 8269063: Build failure due to VerifyReceiverTypes was not declared after JDK-8268405
• b8f073b: 8268316: Typo in JFR jdk.Deserialization event
• b9d7337: 8268638: semaphores of AsyncLogWriter may be broken when JVM is exiting.
• ... and 74 more: https://git.openjdk.java.net/jdk17/compare/74007890bb9a3fa3a65683a3f480e399f2b1a0b6...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[openjdk]

Going to push as commit ef4ba22.
Since your change was applied there have been 84 commits pushed to the master branch:

• 4099810: 8268293: VectorAPI cast operation on mask and shuffle is broken
• e2d7ec3: 8267100: [BACKOUT] JDK-8196415 Disable SHA-1 Signed JARs
• d3ad8cd: 8268672: C2: assert(!loop->is_member(u_loop)) failed: can be in outer loop or out of both loops only
• f25e719: 8268717: Upstream: 8268673: Stack walk across optimized entry frame on fresh native thread fails
• 22ebd19: 8268362: [REDO] C2 crash when compile negative Arrays.copyOf length after loop
• f8df953: 8268702: JFR diagnostic commands lack argument descriptors when viewed using Platform MBean Server
• c294ae4: 8267042: bug in monitor locking/unlocking on ARM32 C1 due to uninitialized BasicObjectLock::_displaced_header
• b358b54: 8269063: Build failure due to VerifyReceiverTypes was not declared after JDK-8268405
• b8f073b: 8268316: Typo in JFR jdk.Deserialization event
• b9d7337: 8268638: semaphores of AsyncLogWriter may be broken when JVM is exiting.
• ... and 74 more: https://git.openjdk.java.net/jdk17/compare/74007890bb9a3fa3a65683a3f480e399f2b1a0b6...master

Your commit was automatically rebased without conflicts.

[openjdk]

@wangweij Pushed as commit ef4ba22.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.