Java Solaris Communities Sun Store Join SDN My Profile Why Join?
» search tips 
Sun Developer Network
Developers Home > Products & Technologies > Java Technology > Community > Bug Database >
Join SDNWhy Join
 
Bug Database
Bug Detail
Quick Lists
Top 25 Bugs
Top 25 RFE's
Recently Closed Bugs
Printable Page Printable Page


Bug Database
Welcome
 
»  Login
»  Report a Bug
»  FAQs
  Bug Watch List:
» Watch this Bug with its releases
 Bug Votes:
 This bug is Closed.You cannot Vote for it.
Bug ID: 6648816
Votes 0
Synopsis REGRESSION: setting -Djava.security.debug=failure result in NPE in ACC
Category java:classes_security
Reported Against
Release Fixed 7(b25), 6u10(b12) (Bug ID:2158027) , 6u6(b02) (Bug ID:2159951)
State 10-Fix Delivered, bug
Priority: 3-Medium
Related Bugs
Submit Date 09-JAN-2008
Description 
1) Write a simple negative (junit) test that uses AccessController.checkPermission

public void testACCNeg() {

try {
            AccessController.checkPermission(new TestPermission("nonExistPermission"));
            fail("Authorzation check should have failed");
        } catch (SecurityException se) {
            // ignore
        }
}

2) Run this test with -Djava.security.debug=failure, and you will see output similar to the following:

     [java] TestCase: testACCNeg
     [java] ERROR Message: java.lang.NullPointerException
     [java]     at java.security.AccessControlContext.checkPermission(AccessControlContext.java:311)
     [java]     at java.security.AccessController.checkPermission(AccessController.java:546)

3) Here is the offending code in AccessController.java:

		    if (!dumpDebug) {
			debug.println("access denied " + perm);
		    }

The conditional is incorrect and the field debug is null -- hence the NPE. The "!" should be removed.

Release Regression From : 6u3
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

Release Regression From : 6
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

Release Regression From : 6
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.
Posted Date : 2008-02-15 18:48:13.0
Work Around 
The only workaround is to NOT set -Djava.security.debug=failure, which is really not a workaround and is considered a very severe restriction considering the limited debug logging facility available in JVM.
Just like the "stack", "domain" debug options, the "failure" only works as a sub option of "access". If one wanna enable "failure" option, please use -Djava.security.debug=access,failure.
Actually the customer states, they used "access,failure" when they ran into the NPE.
If user wanna 'falure' debug message, they have to enable security manager. As a workaround, "-Djava.security.manager -Djava.security.debug=access,failure" is the expected definitions.
Evaluation 
AccessControlContext.checkPermission(Permission) does not check the 'debug' instance.
Posted Date : 2008-01-10 03:38:13.0
Comments
  
  Include a link with my name & email   


PLEASE NOTE: JDK6 is formerly known as Project Mustang





About Sun  |  About This Site  |  Newsletters  |  Contact Us  |  Employment
How to Buy  |  Licensing  |  Terms of Use  |  Privacy  |  Trademarks
 

 
Copyright 1994-2008 Sun Microsystems, Inc.
A Sun Developer Network Site

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.
 
XML Content Feeds