8191395: policy.allowSystemProperty and policy.expandProperties also apply to JAAS configurations

Reviewed-by: weijun
2020-02-12 10:28:59 -05:00 · 2020-02-12 10:28:59 -05:00 · 2fbbce2b23
commit 2fbbce2b23
parent a239c475cf
2 changed files with 15 additions and 8 deletions
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@ -276,15 +276,18 @@ policy.provider=sun.security.provider.PolicyFile
 policy.url.1=file:${java.home}/conf/security/java.policy
 policy.url.2=file:${user.home}/.java.policy

-# whether or not we expand properties in the policy file
-# if this is set to false, properties (${...}) will not be expanded in policy
-# files.
+# Controls whether or not properties are expanded in policy and login
+# configuration files. If set to false, properties (${...}) will not
+# be expanded in policy and login configuration files. If commented out or
+# set to an empty string, the default value is "false" for policy files and
+# "true" for login configuration files.
 #
 policy.expandProperties=true

-# whether or not we allow an extra policy to be passed on the command line
-# with -Djava.security.policy=somefile. Comment out this line to disable
-# this feature.
+# Controls whether or not an extra policy or login configuration file is
+# allowed to be passed on the command line with -Djava.security.policy=somefile
+# or -Djava.security.auth.login.config=somefile. If commented out or set to
+# an empty string, the default value is "false".
 #
 policy.allowSystemProperty=true

--- a/src/jdk.security.auth/share/classes/com/sun/security/auth/login/ConfigFile.java
+++ b/src/jdk.security.auth/share/classes/com/sun/security/auth/login/ConfigFile.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -78,7 +78,11 @@ import java.net.URI;
 *
 * <p> The configuration syntax supported by this implementation
 * is exactly that syntax specified in the
- * {@code javax.security.auth.login.Configuration} class.
+ * {@code javax.security.auth.login.Configuration} class. In addition, the
+ * security property <i>policy.expandProperties</i> can be used to control
+ * whether system properties in the configuration file are expanded. If not
+ * set, the default value is <i>true</i> which means that properties will
+ * be expanded.
 *
 * @see javax.security.auth.login.LoginContext
 * @see java.security.Security security properties