From 2fbbce2b233e924ec9c3720fb4e7ef8b1ef31d51 Mon Sep 17 00:00:00 2001
From: Sean Mullan <mullan@openjdk.org>
Date: Wed, 12 Feb 2020 10:28:59 -0500
Subject: [PATCH] 8191395: policy.allowSystemProperty and
 policy.expandProperties also apply to JAAS configurations

Reviewed-by: weijun
---
 src/java.base/share/conf/security/java.security   | 15 +++++++++------
 .../com/sun/security/auth/login/ConfigFile.java   |  8 ++++++--
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
index 1a9ffe22d70..5e8b417a7ee 100644
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -276,15 +276,18 @@ policy.provider=sun.security.provider.PolicyFile
 policy.url.1=file:${java.home}/conf/security/java.policy
 policy.url.2=file:${user.home}/.java.policy
 
-# whether or not we expand properties in the policy file
-# if this is set to false, properties (${...}) will not be expanded in policy
-# files.
+# Controls whether or not properties are expanded in policy and login
+# configuration files. If set to false, properties (${...}) will not
+# be expanded in policy and login configuration files. If commented out or
+# set to an empty string, the default value is "false" for policy files and
+# "true" for login configuration files.
 #
 policy.expandProperties=true
 
-# whether or not we allow an extra policy to be passed on the command line
-# with -Djava.security.policy=somefile. Comment out this line to disable
-# this feature.
+# Controls whether or not an extra policy or login configuration file is
+# allowed to be passed on the command line with -Djava.security.policy=somefile
+# or -Djava.security.auth.login.config=somefile. If commented out or set to
+# an empty string, the default value is "false".
 #
 policy.allowSystemProperty=true
 
diff --git a/src/jdk.security.auth/share/classes/com/sun/security/auth/login/ConfigFile.java b/src/jdk.security.auth/share/classes/com/sun/security/auth/login/ConfigFile.java
index 2d269052ef0..d89c12c5e35 100644
--- a/src/jdk.security.auth/share/classes/com/sun/security/auth/login/ConfigFile.java
+++ b/src/jdk.security.auth/share/classes/com/sun/security/auth/login/ConfigFile.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -78,7 +78,11 @@
  *
  * <p> The configuration syntax supported by this implementation
  * is exactly that syntax specified in the
- * {@code javax.security.auth.login.Configuration} class.
+ * {@code javax.security.auth.login.Configuration} class. In addition, the
+ * security property <i>policy.expandProperties</i> can be used to control
+ * whether system properties in the configuration file are expanded. If not
+ * set, the default value is <i>true</i> which means that properties will
+ * be expanded.
  *
  * @see javax.security.auth.login.LoginContext
  * @see java.security.Security security properties