diff --git a/src/java.base/share/classes/sun/net/www/protocol/http/AuthenticationHeader.java b/src/java.base/share/classes/sun/net/www/protocol/http/AuthenticationHeader.java index 8083fb36f39..8bccc53cafc 100644 --- a/src/java.base/share/classes/sun/net/www/protocol/http/AuthenticationHeader.java +++ b/src/java.base/share/classes/sun/net/www/protocol/http/AuthenticationHeader.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,7 +32,6 @@ import java.util.HashMap; import java.util.Set; import sun.net.www.*; -import sun.security.action.GetPropertyAction; /** * This class is used to parse the information in WWW-Authenticate: and Proxy-Authenticate: @@ -98,7 +97,7 @@ public class AuthenticationHeader { } static { - String pref = GetPropertyAction.privilegedGetProperty("http.auth.preference"); + String pref = System.getProperty("http.auth.preference"); // http.auth.preference can be set to SPNEGO or Kerberos. // In fact they means "Negotiate with SPNEGO" and "Negotiate with diff --git a/src/java.base/share/classes/sun/net/www/protocol/http/AuthenticationInfo.java b/src/java.base/share/classes/sun/net/www/protocol/http/AuthenticationInfo.java index 4a2b5b628c6..f567d7bd643 100644 --- a/src/java.base/share/classes/sun/net/www/protocol/http/AuthenticationInfo.java +++ b/src/java.base/share/classes/sun/net/www/protocol/http/AuthenticationInfo.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1995, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,8 +25,6 @@ package sun.net.www.protocol.http; -import java.io.IOException; -import java.io.ObjectInputStream; import java.net.PasswordAuthentication; import java.net.URL; import java.util.HashMap; @@ -67,10 +65,7 @@ public abstract class AuthenticationInfo extends AuthCacheValue implements Clone * repeatedly, via the Authenticator. Default is false, which means that this * behavior is switched off. */ - @SuppressWarnings("removal") - static final boolean serializeAuth = java.security.AccessController.doPrivileged( - new sun.security.action.GetBooleanAction( - "http.auth.serializeRequests")).booleanValue(); + static final boolean serializeAuth = Boolean.getBoolean("http.auth.serializeRequests"); /* AuthCacheValue: */ diff --git a/src/java.base/share/classes/sun/net/www/protocol/http/BasicAuthentication.java b/src/java.base/share/classes/sun/net/www/protocol/http/BasicAuthentication.java index 73d5ff98b3a..f008c185b5d 100644 --- a/src/java.base/share/classes/sun/net/www/protocol/http/BasicAuthentication.java +++ b/src/java.base/share/classes/sun/net/www/protocol/http/BasicAuthentication.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,11 +32,8 @@ import java.net.PasswordAuthentication; import java.nio.ByteBuffer; import java.nio.CharBuffer; import java.nio.charset.Charset; -import java.io.IOException; -import java.io.OutputStream; import java.util.Arrays; import java.util.Base64; -import java.util.Objects; import sun.net.www.HeaderParser; import sun.nio.cs.ISO_8859_1; import sun.nio.cs.UTF_8; @@ -49,10 +46,7 @@ import sun.nio.cs.UTF_8; */ -class BasicAuthentication extends AuthenticationInfo { - - @java.io.Serial - private static final long serialVersionUID = 100L; +final class BasicAuthentication extends AuthenticationInfo { /** The authentication string for this host, port, and realm. This is a simple BASE64 encoding of "login:password". */ diff --git a/src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java b/src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java index faee05b4dfd..28d7bc5cf4e 100644 --- a/src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java +++ b/src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -35,17 +35,13 @@ import java.nio.charset.CharacterCodingException; import java.nio.charset.Charset; import java.nio.charset.CharsetEncoder; import java.nio.charset.StandardCharsets; -import java.security.AccessController; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; -import java.security.PrivilegedAction; import java.security.Security; import java.text.Normalizer; import java.util.Arrays; -import java.util.Collections; import java.util.HashSet; import java.util.Locale; -import java.util.Objects; import java.util.Random; import java.util.Set; import java.util.function.BiConsumer; @@ -65,10 +61,7 @@ import static sun.net.www.protocol.http.HttpURLConnection.HTTP_CONNECT; * @author Bill Foote */ -class DigestAuthentication extends AuthenticationInfo { - - @java.io.Serial - private static final long serialVersionUID = 100L; +final class DigestAuthentication extends AuthenticationInfo { private String authMethod; @@ -110,26 +103,15 @@ class DigestAuthentication extends AuthenticationInfo { HttpURLConnection.getHttpLogger(); static { - @SuppressWarnings("removal") - Boolean b = AccessController.doPrivileged( - (PrivilegedAction) () -> NetProperties.getBoolean(compatPropName) - ); + Boolean b = NetProperties.getBoolean(compatPropName); delimCompatFlag = (b == null) ? false : b.booleanValue(); - @SuppressWarnings("removal") - String secprops = AccessController.doPrivileged( - (PrivilegedAction) () -> Security.getProperty(secPropName) - ); - + String secprops = Security.getProperty(secPropName); Set algs = new HashSet<>(); - // add the default insecure algorithms to set processPropValue(secprops, algs, (set, elem) -> set.add(elem)); - @SuppressWarnings("removal") - String netprops = AccessController.doPrivileged( - (PrivilegedAction) () -> NetProperties.get(enabledAlgPropName) - ); + String netprops = NetProperties.get(enabledAlgPropName); // remove any algorithms from disabled set that were opted-in by user processPropValue(netprops, algs, (set, elem) -> set.remove(elem)); disabledDigests = Set.copyOf(algs); diff --git a/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java b/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java index 83511853502..602f798448c 100644 --- a/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java +++ b/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java @@ -25,7 +25,6 @@ package sun.net.www.protocol.http; -import java.security.PrivilegedAction; import java.util.Arrays; import java.net.URL; import java.net.URLConnection; @@ -37,7 +36,6 @@ import java.net.HttpCookie; import java.net.InetAddress; import java.net.UnknownHostException; import java.net.SocketTimeoutException; -import java.net.SocketPermission; import java.net.Proxy; import java.net.ProxySelector; import java.net.URI; @@ -47,11 +45,7 @@ import java.net.ResponseCache; import java.net.CacheResponse; import java.net.SecureCacheResponse; import java.net.CacheRequest; -import java.net.URLPermission; import java.net.Authenticator.RequestorType; -import java.security.AccessController; -import java.security.PrivilegedExceptionAction; -import java.security.PrivilegedActionException; import java.io.*; import java.util.ArrayList; import java.util.Collections; @@ -81,7 +75,6 @@ import java.util.TimeZone; import java.net.MalformedURLException; import java.nio.ByteBuffer; import java.util.Objects; -import java.util.Properties; import java.util.concurrent.locks.ReentrantLock; import static sun.net.www.protocol.http.AuthScheme.BASIC; @@ -90,8 +83,6 @@ import static sun.net.www.protocol.http.AuthScheme.NTLM; import static sun.net.www.protocol.http.AuthScheme.NEGOTIATE; import static sun.net.www.protocol.http.AuthScheme.KERBEROS; import static sun.net.www.protocol.http.AuthScheme.UNKNOWN; -import sun.security.action.GetIntegerAction; -import sun.security.action.GetPropertyAction; /** * A class to represent an HTTP connection to a remote object. @@ -178,8 +169,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection { * Restrict setting of request headers through the public api * consistent with JavaScript XMLHttpRequest2 with a few * exceptions. Disallowed headers are silently ignored for - * backwards compatibility reasons rather than throwing a - * SecurityException. For example, some applets set the + * backwards compatibility reasons. For example, some applets set the * Host header since old JREs did not implement HTTP 1.1. * Additionally, any header starting with Sec- is * disallowed. @@ -222,12 +212,6 @@ public class HttpURLConnection extends java.net.HttpURLConnection { "Via" }; - @SuppressWarnings("removal") - private static String getNetProperty(String name) { - PrivilegedAction pa = () -> NetProperties.get(name); - return AccessController.doPrivileged(pa); - } - private static Set schemesListToSet(String list) { if (list == null || list.isEmpty()) return Collections.emptySet(); @@ -240,11 +224,9 @@ public class HttpURLConnection extends java.net.HttpURLConnection { } static { - Properties props = GetPropertyAction.privilegedGetProperties(); - maxRedirects = GetIntegerAction.privilegedGetProperty( - "http.maxRedirects", defaultmaxRedirects); - version = props.getProperty("java.version"); - String agent = props.getProperty("http.agent"); + maxRedirects = Integer.getInteger("http.maxRedirects", defaultmaxRedirects); + version = System.getProperty("java.version"); + String agent = System.getProperty("http.agent"); if (agent == null) { agent = "Java/"+version; } else { @@ -254,34 +236,30 @@ public class HttpURLConnection extends java.net.HttpURLConnection { // A set of net properties to control the use of authentication schemes // when proxying/tunneling. - String p = getNetProperty("jdk.http.auth.tunneling.disabledSchemes"); + String p = NetProperties.get("jdk.http.auth.tunneling.disabledSchemes"); disabledTunnelingSchemes = schemesListToSet(p); - p = getNetProperty("jdk.http.auth.proxying.disabledSchemes"); + p = NetProperties.get("jdk.http.auth.proxying.disabledSchemes"); disabledProxyingSchemes = schemesListToSet(p); - validateProxy = Boolean.parseBoolean( - props.getProperty("http.auth.digest.validateProxy")); - validateServer = Boolean.parseBoolean( - props.getProperty("http.auth.digest.validateServer")); + validateProxy = Boolean.getBoolean("http.auth.digest.validateProxy"); + validateServer = Boolean.getBoolean("http.auth.digest.validateServer"); - enableESBuffer = Boolean.parseBoolean( - props.getProperty("sun.net.http.errorstream.enableBuffering")); - int esBufferTimeout = GetIntegerAction.privilegedGetProperty( + enableESBuffer = Boolean.getBoolean("sun.net.http.errorstream.enableBuffering"); + int esBufferTimeout = Integer.getInteger( "sun.net.http.errorstream.timeout", 300); if (esBufferTimeout <= 0) { esBufferTimeout = 300; // use the default } timeout4ESBuffer = esBufferTimeout; - int esBufSize = GetIntegerAction.privilegedGetProperty( + int esBufSize = Integer.getInteger( "sun.net.http.errorstream.bufferSize", 4096); if (esBufSize <= 0) { esBufSize = 4096; // use the default } bufSize4ES = esBufSize; - allowRestrictedHeaders = Boolean.parseBoolean( - props.getProperty("sun.net.http.allowRestrictedHeaders")); + allowRestrictedHeaders = Boolean.getBoolean("sun.net.http.allowRestrictedHeaders"); if (!allowRestrictedHeaders) { restrictedHeaderSet = HashSet.newHashSet(restrictedHeaders.length); for (int i=0; i < restrictedHeaders.length; i++) { @@ -292,7 +270,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection { } int defMaxHeaderSize = 384 * 1024; - String maxHeaderSizeStr = getNetProperty("jdk.http.maxHeaderSize"); + String maxHeaderSizeStr = NetProperties.get("jdk.http.maxHeaderSize"); int maxHeaderSizeVal = defMaxHeaderSize; if (maxHeaderSizeStr != null) { try { @@ -439,9 +417,6 @@ public class HttpURLConnection extends java.net.HttpURLConnection { private int connectTimeout = NetworkClient.DEFAULT_CONNECT_TIMEOUT; private int readTimeout = NetworkClient.DEFAULT_READ_TIMEOUT; - /* A permission converted from a URLPermission */ - private SocketPermission socketPermission; - /* Logging support */ private static final PlatformLogger logger = PlatformLogger.getLogger("sun.net.www.protocol.http.HttpURLConnection"); @@ -462,36 +437,30 @@ public class HttpURLConnection extends java.net.HttpURLConnection { } /* - * privileged request password authentication + * Calls Authenticator.requestPasswordAuthentication * */ - @SuppressWarnings("removal") - private static PasswordAuthentication - privilegedRequestPasswordAuthentication( - final Authenticator authenticator, - final String host, - final InetAddress addr, - final int port, - final String protocol, - final String prompt, - final String scheme, - final URL url, - final RequestorType authType) { - return java.security.AccessController.doPrivileged( - new java.security.PrivilegedAction<>() { - public PasswordAuthentication run() { - if (logger.isLoggable(PlatformLogger.Level.FINEST)) { - logger.finest("Requesting Authentication: host =" + host + " url = " + url); - } - PasswordAuthentication pass = Authenticator.requestPasswordAuthentication( - authenticator, host, addr, port, protocol, - prompt, scheme, url, authType); - if (logger.isLoggable(PlatformLogger.Level.FINEST)) { - logger.finest("Authentication returned: " + (pass != null ? pass.toString() : "null")); - } - return pass; - } - }); + private static PasswordAuthentication requestPassword( + final Authenticator authenticator, + final String host, + final InetAddress addr, + final int port, + final String protocol, + final String prompt, + final String scheme, + final URL url, + final RequestorType authType) { + + if (logger.isLoggable(PlatformLogger.Level.FINEST)) { + logger.finest("Requesting Authentication: host =" + host + " url = " + url); + } + PasswordAuthentication pass = Authenticator.requestPasswordAuthentication( + authenticator, host, addr, port, protocol, + prompt, scheme, url, authType); + if (logger.isLoggable(PlatformLogger.Level.FINEST)) { + logger.finest("Authentication returned: " + (pass != null ? pass.toString() : "null")); + } + return pass; } private boolean isRestrictedHeader(String key, String value) { @@ -640,7 +609,6 @@ public class HttpURLConnection extends java.net.HttpURLConnection { if (requestLineIndex != 0) { // we expect the request line to be at index 0. we set it here // if we don't find the request line at that index. - checkURLFile(); requests.prepend(requestLine, null); } if (!getUseCaches()) { @@ -654,9 +622,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection { host += ":" + String.valueOf(port); } String reqHost = requests.findValue("Host"); - if (reqHost == null || - (!reqHost.equalsIgnoreCase(host) && !checkSetHost())) - { + if (reqHost == null || !reqHost.equalsIgnoreCase(host)) { requests.set("Host", host); } requests.setIfNotSet("Accept", acceptString); @@ -776,47 +742,6 @@ public class HttpURLConnection extends java.net.HttpURLConnection { } } - private boolean checkSetHost() { - @SuppressWarnings("removal") - SecurityManager s = System.getSecurityManager(); - if (s != null) { - String name = s.getClass().getName(); - if (name.equals("sun.plugin2.applet.AWTAppletSecurityManager") || - name.equals("sun.plugin2.applet.FXAppletSecurityManager") || - name.equals("com.sun.javaws.security.JavaWebStartSecurity") || - name.equals("sun.plugin.security.ActivatorSecurityManager")) - { - int CHECK_SET_HOST = -2; - try { - s.checkConnect(url.toExternalForm(), CHECK_SET_HOST); - } catch (SecurityException ex) { - return false; - } - } - } - return true; - } - - private void checkURLFile() { - @SuppressWarnings("removal") - SecurityManager s = System.getSecurityManager(); - if (s != null) { - String name = s.getClass().getName(); - if (name.equals("sun.plugin2.applet.AWTAppletSecurityManager") || - name.equals("sun.plugin2.applet.FXAppletSecurityManager") || - name.equals("com.sun.javaws.security.JavaWebStartSecurity") || - name.equals("sun.plugin.security.ActivatorSecurityManager")) - { - int CHECK_SUBPATH = -3; - try { - s.checkConnect(url.toExternalForm(), CHECK_SUBPATH); - } catch (SecurityException ex) { - throw new SecurityException("denied access outside a permitted URL subpath", ex); - } - } - } - } - /** * Create a new HttpClient object, bypassing the cache of * HTTP client objects/connections. @@ -922,7 +847,6 @@ public class HttpURLConnection extends java.net.HttpURLConnection { return u; } - @SuppressWarnings("removal") protected HttpURLConnection(URL u, Proxy p, Handler handler) throws IOException { super(checkURL(u)); @@ -931,119 +855,8 @@ public class HttpURLConnection extends java.net.HttpURLConnection { userHeaders = new MessageHeader(); this.handler = handler; instProxy = p; - if (instProxy instanceof sun.net.ApplicationProxy) { - /* Application set Proxies should not have access to cookies - * in a secure environment unless explicitly allowed. */ - try { - cookieHandler = CookieHandler.getDefault(); - } catch (SecurityException se) { /* swallow exception */ } - } else { - cookieHandler = java.security.AccessController.doPrivileged( - new java.security.PrivilegedAction<>() { - public CookieHandler run() { - return CookieHandler.getDefault(); - } - }); - } - cacheHandler = java.security.AccessController.doPrivileged( - new java.security.PrivilegedAction<>() { - public ResponseCache run() { - return ResponseCache.getDefault(); - } - }); - } - - /** - * opens a stream allowing redirects only to the same host. - */ - public static InputStream openConnectionCheckRedirects(URLConnection c) - throws IOException - { - boolean redir; - int redirects = 0; - InputStream in; - Authenticator a = null; - - do { - if (c instanceof HttpURLConnection) { - ((HttpURLConnection) c).setInstanceFollowRedirects(false); - if (a == null) { - a = ((HttpURLConnection) c).authenticator; - } - } - - // We want to open the input stream before - // getting headers, because getHeaderField() - // et al swallow IOExceptions. - in = c.getInputStream(); - redir = false; - - if (c instanceof HttpURLConnection) { - HttpURLConnection http = (HttpURLConnection) c; - int stat = http.getResponseCode(); - if (stat >= 300 && stat <= 307 && stat != 306 && - stat != HttpURLConnection.HTTP_NOT_MODIFIED) { - URL base = http.getURL(); - String loc = http.getHeaderField("Location"); - URL target = null; - if (loc != null) { - target = newURL(base, loc); - } - http.disconnect(); - if (target == null - || !base.getProtocol().equals(target.getProtocol()) - || base.getPort() != target.getPort() - || !hostsEqual(base, target) - || redirects >= 5) - { - throw new SecurityException("illegal URL redirect"); - } - redir = true; - c = target.openConnection(); - if (a != null && c instanceof HttpURLConnection) { - ((HttpURLConnection)c).setAuthenticator(a); - } - redirects++; - } - } - } while (redir); - return in; - } - - - // - // Same as java.net.URL.hostsEqual - // - @SuppressWarnings("removal") - private static boolean hostsEqual(URL u1, URL u2) { - final String h1 = u1.getHost(); - final String h2 = u2.getHost(); - - if (h1 == null) { - return h2 == null; - } else if (h2 == null) { - return false; - } else if (h1.equalsIgnoreCase(h2)) { - return true; - } - // Have to resolve addresses before comparing, otherwise - // names like tachyon and tachyon.eng would compare different - final boolean result[] = {false}; - - java.security.AccessController.doPrivileged( - new java.security.PrivilegedAction<>() { - public Void run() { - try { - InetAddress a1 = InetAddress.getByName(h1); - InetAddress a2 = InetAddress.getByName(h2); - result[0] = a1.equals(a2); - } catch(UnknownHostException | SecurityException e) { - } - return null; - } - }); - - return result[0]; + cookieHandler = CookieHandler.getDefault(); + cacheHandler = ResponseCache.getDefault(); } // overridden in HTTPS subclass @@ -1073,34 +886,6 @@ public class HttpURLConnection extends java.net.HttpURLConnection { return false; } - @SuppressWarnings("removal") - private String getHostAndPort(URL url) { - String host = url.getHost(); - final String hostarg = host; - try { - // lookup hostname and use IP address if available - host = AccessController.doPrivileged( - new PrivilegedExceptionAction<>() { - public String run() throws IOException { - InetAddress addr = InetAddress.getByName(hostarg); - return addr.getHostAddress(); - } - } - ); - } catch (PrivilegedActionException e) {} - int port = url.getPort(); - if (port == -1) { - String scheme = url.getProtocol(); - if ("http".equals(scheme)) { - return host + ":80"; - } else { // scheme must be https - return host + ":443"; - } - } - return host + ":" + Integer.toString(port); - } - - @SuppressWarnings("removal") protected void plainConnect() throws IOException { lock(); try { @@ -1110,66 +895,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection { } finally { unlock(); } - SocketPermission p = URLtoSocketPermission(this.url); - if (p != null) { - try { - AccessController.doPrivilegedWithCombiner( - new PrivilegedExceptionAction<>() { - public Void run() throws IOException { - plainConnect0(); - return null; - } - }, null, p - ); - } catch (PrivilegedActionException e) { - throw (IOException) e.getException(); - } - } else { - // run without additional permission - plainConnect0(); - } - } - - /** - * if the caller has a URLPermission for connecting to the - * given URL, then return a SocketPermission which permits - * access to that destination. Return null otherwise. The permission - * is cached in a field (which can only be changed by redirects) - */ - SocketPermission URLtoSocketPermission(URL url) throws IOException { - - if (socketPermission != null) { - return socketPermission; - } - - @SuppressWarnings("removal") - SecurityManager sm = System.getSecurityManager(); - - if (sm == null) { - return null; - } - - // the permission, which we might grant - - SocketPermission newPerm = new SocketPermission( - getHostAndPort(url), "connect" - ); - - String actions = getRequestMethod()+":" + - getUserSetHeaders().getHeaderNamesInList(); - - String urlstring = url.getProtocol() + "://" + url.getAuthority() - + url.getPath(); - - URLPermission p = new URLPermission(urlstring, actions); - try { - sm.checkPermission(p); - socketPermission = newPerm; - return socketPermission; - } catch (SecurityException e) { - // fall thru - } - return null; + plainConnect0(); } protected void plainConnect0() throws IOException { @@ -1215,14 +941,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection { /** * Do we have to use a proxy? */ - @SuppressWarnings("removal") - ProxySelector sel = - java.security.AccessController.doPrivileged( - new java.security.PrivilegedAction<>() { - public ProxySelector run() { - return ProxySelector.getDefault(); - } - }); + final ProxySelector sel = ProxySelector.getDefault(); if (sel != null) { URI uri = sun.net.www.ParseUtil.toURI(url); if (logger.isLoggable(PlatformLogger.Level.FINEST)) { @@ -1399,29 +1118,12 @@ public class HttpURLConnection extends java.net.HttpURLConnection { * - get input, [read input,] get output, [write output] */ - @SuppressWarnings("removal") @Override public OutputStream getOutputStream() throws IOException { lock(); try { connecting = true; - SocketPermission p = URLtoSocketPermission(this.url); - - if (p != null) { - try { - return AccessController.doPrivilegedWithCombiner( - new PrivilegedExceptionAction<>() { - public OutputStream run() throws IOException { - return getOutputStream0(); - } - }, null, p - ); - } catch (PrivilegedActionException e) { - throw (IOException) e.getException(); - } - } else { - return getOutputStream0(); - } + return getOutputStream0(); } finally { unlock(); } @@ -1591,29 +1293,12 @@ public class HttpURLConnection extends java.net.HttpURLConnection { } // end of getting cookies } - @SuppressWarnings("removal") @Override public InputStream getInputStream() throws IOException { lock(); try { connecting = true; - SocketPermission p = URLtoSocketPermission(this.url); - - if (p != null) { - try { - return AccessController.doPrivilegedWithCombiner( - new PrivilegedExceptionAction<>() { - public InputStream run() throws IOException { - return getInputStream0(); - } - }, null, p - ); - } catch (PrivilegedActionException e) { - throw (IOException) e.getException(); - } - } else { - return getInputStream0(); - } + return getInputStream0(); } finally { unlock(); } @@ -2060,17 +1745,9 @@ public class HttpURLConnection extends java.net.HttpURLConnection { private IOException getChainedException(final IOException rememberedException) { try { final Object[] args = { rememberedException.getMessage() }; - @SuppressWarnings("removal") - IOException chainedException = - java.security.AccessController.doPrivileged( - new java.security.PrivilegedExceptionAction<>() { - public IOException run() throws Exception { - return (IOException) - rememberedException.getClass() - .getConstructor(new Class[] { String.class }) - .newInstance(args); - } - }); + IOException chainedException = rememberedException.getClass() + .getConstructor(new Class[] { String.class }) + .newInstance(args); chainedException.initCause(rememberedException); return chainedException; } catch (Exception ignored) { @@ -2392,7 +2069,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection { * Gets the authentication for an HTTP proxy, and applies it to * the connection. */ - @SuppressWarnings({"removal","fallthrough"}) + @SuppressWarnings("fallthrough") private AuthenticationInfo getHttpProxyAuthentication(AuthenticationHeader authhdr) throws IOException { @@ -2430,44 +2107,40 @@ public class HttpURLConnection extends java.net.HttpURLConnection { proxyAuthKey = AuthenticationInfo.getProxyAuthKey(host, port, realm, authScheme); ret = AuthenticationInfo.getProxyAuth(proxyAuthKey, authCache); if (ret == null) { - switch (authScheme) { - case BASIC: - InetAddress addr = null; - try { - final String finalHost = host; - addr = java.security.AccessController.doPrivileged( - new java.security.PrivilegedExceptionAction<>() { - public InetAddress run() - throws java.net.UnknownHostException { - return InetAddress.getByName(finalHost); - } - }); - } catch (java.security.PrivilegedActionException ignored) { - // User will have an unknown host. + ret = switch (authScheme) { + case BASIC -> { + InetAddress addr = null; + try { + addr = InetAddress.getByName(host); + } catch (UnknownHostException uhe) { + // Ignore the exception. The Authenticator instance will + // be passed a null InetAddress when requesting a password from the + // Authenticator. + } + final PasswordAuthentication a = requestPassword(authenticator, + host, addr, port, "http", + realm, scheme, url, RequestorType.PROXY); + if (a != null) { + yield new BasicAuthentication(true, host, port, realm, a, isUTF8); + } + yield null; } - PasswordAuthentication a = - privilegedRequestPasswordAuthentication( - authenticator, - host, addr, port, "http", - realm, scheme, url, RequestorType.PROXY); - if (a != null) { - ret = new BasicAuthentication(true, host, port, realm, a, isUTF8); + case DIGEST -> { + final PasswordAuthentication a = requestPassword(authenticator, + host, null, port, url.getProtocol(), + realm, scheme, url, RequestorType.PROXY); + if (a != null) { + DigestAuthentication.Parameters params = + new DigestAuthentication.Parameters(); + yield new DigestAuthentication(true, host, port, realm, + scheme, a, params); + } + yield null; } - break; - case DIGEST: - a = privilegedRequestPasswordAuthentication( - authenticator, - host, null, port, url.getProtocol(), - realm, scheme, url, RequestorType.PROXY); - if (a != null) { - DigestAuthentication.Parameters params = - new DigestAuthentication.Parameters(); - ret = new DigestAuthentication(true, host, port, realm, - scheme, a, params); - } - break; - case NTLM: - if (NTLMAuthenticationProxy.supported) { + case NTLM -> { + if (!NTLMAuthenticationProxy.supported) { + yield null; + } /* tryTransparentNTLMProxy will always be true the first * time around, but verify that the platform supports it * otherwise don't try. */ @@ -2484,14 +2157,14 @@ public class HttpURLConnection extends java.net.HttpURLConnection { } } - a = null; + PasswordAuthentication a = null; if (tryTransparentNTLMProxy) { logger.finest("Trying Transparent NTLM authentication"); } else { - a = privilegedRequestPasswordAuthentication( - authenticator, - host, null, port, url.getProtocol(), - "", scheme, url, RequestorType.PROXY); + a = requestPassword( + authenticator, + host, null, port, url.getProtocol(), + "", scheme, url, RequestorType.PROXY); validateNTLMCredentials(a); } /* If we are not trying transparent authentication then @@ -2500,29 +2173,27 @@ public class HttpURLConnection extends java.net.HttpURLConnection { * and password will be picked up from the current logged * on users credentials. */ + AuthenticationInfo authInfo = null; if (tryTransparentNTLMProxy || - (!tryTransparentNTLMProxy && a != null)) { - ret = NTLMAuthenticationProxy.proxy.create(true, host, port, a); + (!tryTransparentNTLMProxy && a != null)) { + authInfo = NTLMAuthenticationProxy.proxy.create(true, host, port, a); } /* set to false so that we do not try again */ tryTransparentNTLMProxy = false; + yield authInfo; } - break; - case NEGOTIATE: - ret = new NegotiateAuthentication(new HttpCallerInfo(authhdr.getHttpCallerInfo(), "Negotiate")); - break; - case KERBEROS: - ret = new NegotiateAuthentication(new HttpCallerInfo(authhdr.getHttpCallerInfo(), "Kerberos")); - break; - case UNKNOWN: - if (logger.isLoggable(PlatformLogger.Level.FINEST)) { - logger.finest("Unknown/Unsupported authentication scheme: " + scheme); + case NEGOTIATE -> + new NegotiateAuthentication(new HttpCallerInfo(authhdr.getHttpCallerInfo(), "Negotiate")); + case KERBEROS -> + new NegotiateAuthentication(new HttpCallerInfo(authhdr.getHttpCallerInfo(), "Kerberos")); + case UNKNOWN -> { + if (logger.isLoggable(PlatformLogger.Level.FINEST)) { + logger.finest("Unknown/Unsupported authentication scheme: " + scheme); + } + yield null; } - /*fall through*/ - default: - throw new AssertionError("should not reach here"); - } + }; } if (ret != null) { if (!ret.setHeaders(this, p, raw)) { @@ -2604,7 +2275,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection { break; case BASIC: PasswordAuthentication a = - privilegedRequestPasswordAuthentication( + requestPassword( authenticator, url.getHost(), addr, port, url.getProtocol(), realm, scheme, url, RequestorType.SERVER); @@ -2613,7 +2284,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection { } break; case DIGEST: - a = privilegedRequestPasswordAuthentication( + a = requestPassword( authenticator, url.getHost(), addr, port, url.getProtocol(), realm, scheme, url, RequestorType.SERVER); @@ -2650,7 +2321,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection { if (tryTransparentNTLMServer) { logger.finest("Trying Transparent NTLM authentication"); } else { - a = privilegedRequestPasswordAuthentication( + a = requestPassword( authenticator, url.getHost(), addr, port, url.getProtocol(), "", scheme, url, RequestorType.SERVER); @@ -2753,7 +2424,6 @@ public class HttpURLConnection extends java.net.HttpURLConnection { * resets the url, re-connects, and resets the request * property. */ - @SuppressWarnings("removal") private boolean followRedirect() throws IOException { if (!getInstanceFollowRedirects()) { return false; @@ -2783,27 +2453,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection { // treat loc as a relative URI to conform to popular browsers locUrl = newURL(url, loc); } - - final URL locUrl0 = locUrl; - socketPermission = null; // force recalculation - SocketPermission p = URLtoSocketPermission(locUrl); - - if (p != null) { - try { - return AccessController.doPrivilegedWithCombiner( - new PrivilegedExceptionAction<>() { - public Boolean run() throws IOException { - return followRedirect0(loc, stat, locUrl0); - } - }, null, p - ); - } catch (PrivilegedActionException e) { - throw (IOException) e.getException(); - } - } else { - // run without additional permission - return followRedirect0(loc, stat, locUrl); - } + return followRedirect0(loc, stat, locUrl); } /* Tells us whether to follow a redirect. If so, it @@ -2838,12 +2488,6 @@ public class HttpURLConnection extends java.net.HttpURLConnection { String proxyHost = locUrl.getHost(); int proxyPort = locUrl.getPort(); - @SuppressWarnings("removal") - SecurityManager security = System.getSecurityManager(); - if (security != null) { - security.checkConnect(proxyHost, proxyPort); - } - setProxiedClient (url, proxyHost, proxyPort); requests.set(0, method + " " + getRequestURI()+" " + httpVersion, null); diff --git a/src/java.base/share/classes/sun/net/www/protocol/http/NegotiateAuthentication.java b/src/java.base/share/classes/sun/net/www/protocol/http/NegotiateAuthentication.java index 27442382ec7..c27d866f5ef 100644 --- a/src/java.base/share/classes/sun/net/www/protocol/http/NegotiateAuthentication.java +++ b/src/java.base/share/classes/sun/net/www/protocol/http/NegotiateAuthentication.java @@ -36,7 +36,6 @@ import java.util.concurrent.locks.ReentrantLock; import sun.net.www.HeaderParser; import static sun.net.www.protocol.http.AuthScheme.NEGOTIATE; import static sun.net.www.protocol.http.AuthScheme.KERBEROS; -import sun.security.action.GetPropertyAction; /** * NegotiateAuthentication: @@ -45,10 +44,7 @@ import sun.security.action.GetPropertyAction; * @since 1.6 */ -class NegotiateAuthentication extends AuthenticationInfo { - - @java.io.Serial - private static final long serialVersionUID = 100L; +final class NegotiateAuthentication extends AuthenticationInfo { private final HttpCallerInfo hci; @@ -61,14 +57,6 @@ class NegotiateAuthentication extends AuthenticationInfo { static ThreadLocal > cache = null; private static final ReentrantLock negotiateLock = new ReentrantLock(); - /* Whether cache is enabled for Negotiate/Kerberos */ - private static final boolean cacheSPNEGO; - static { - String spnegoCacheProp = - GetPropertyAction.privilegedGetProperty("jdk.spnego.cache", "true"); - cacheSPNEGO = Boolean.parseBoolean(spnegoCacheProp); - } - // The HTTP Negotiate Helper private Negotiator negotiator = null; diff --git a/src/java.base/share/classes/sun/net/www/protocol/https/HttpsClient.java b/src/java.base/share/classes/sun/net/www/protocol/https/HttpsClient.java index 9bc28a353ab..fb2dfe6fff3 100644 --- a/src/java.base/share/classes/sun/net/www/protocol/https/HttpsClient.java +++ b/src/java.base/share/classes/sun/net/www/protocol/https/HttpsClient.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2001, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -30,7 +30,6 @@ import java.io.IOException; import java.io.UnsupportedEncodingException; import java.io.PrintStream; import java.io.BufferedOutputStream; -import java.net.InetAddress; import java.net.Socket; import java.net.SocketException; import java.net.URL; @@ -48,7 +47,6 @@ import javax.net.ssl.*; import sun.net.www.http.HttpClient; import sun.net.www.protocol.http.AuthCacheImpl; import sun.net.www.protocol.http.HttpURLConnection; -import sun.security.action.*; import sun.security.util.HostnameChecker; import sun.security.ssl.SSLSocketImpl; @@ -138,10 +136,8 @@ final class HttpsClient extends HttpClient // // If ciphers are assigned, sort them into an array. // - String ciphers []; - String cipherString = - GetPropertyAction.privilegedGetProperty("https.cipherSuites"); - + String[] ciphers; + String cipherString = System.getProperty("https.cipherSuites"); if (cipherString == null || cipherString.isEmpty()) { ciphers = null; } else { @@ -162,10 +158,8 @@ final class HttpsClient extends HttpClient // // If protocols are assigned, sort them into an array. // - String protocols []; - String protocolString = - GetPropertyAction.privilegedGetProperty("https.protocols"); - + String[] protocols; + String protocolString = System.getProperty("https.protocols"); if (protocolString == null || protocolString.isEmpty()) { protocols = null; } else { @@ -183,65 +177,12 @@ final class HttpsClient extends HttpClient return protocols; } - private String getUserAgent() { - String userAgent = - GetPropertyAction.privilegedGetProperty("https.agent"); - if (userAgent == null || userAgent.isEmpty()) { - userAgent = "JSSE"; - } - return userAgent; - } - // CONSTRUCTOR, FACTORY - /** - * Create an HTTPS client URL. Traffic will be tunneled through any - * intermediate nodes rather than proxied, so that confidentiality - * of data exchanged can be preserved. However, note that all the - * anonymous SSL flavors are subject to "person-in-the-middle" - * attacks against confidentiality. If you enable use of those - * flavors, you may be giving up the protection you get through - * SSL tunneling. - * - * Use New to get new HttpsClient. This constructor is meant to be - * used only by New method. New properly checks for URL spoofing. - * - * @param url https URL with which a connection must be established - */ - private HttpsClient(SSLSocketFactory sf, URL url) - throws IOException - { - // HttpClient-level proxying is always disabled, - // because we override doConnect to do tunneling instead. - this(sf, url, (String)null, -1); - } - - /** - * Create an HTTPS client URL. Traffic will be tunneled through - * the specified proxy server. - */ - HttpsClient(SSLSocketFactory sf, URL url, String proxyHost, int proxyPort) - throws IOException { - this(sf, url, proxyHost, proxyPort, -1); - } - - /** - * Create an HTTPS client URL. Traffic will be tunneled through + * Create an HTTPS client URL. Traffic will be tunneled through * the specified proxy server, with a connect timeout */ - HttpsClient(SSLSocketFactory sf, URL url, String proxyHost, int proxyPort, - int connectTimeout) - throws IOException { - this(sf, url, - (proxyHost == null? null: - HttpClient.newHttpProxy(proxyHost, proxyPort, "https")), - connectTimeout); - } - - /** - * Same as previous constructor except using a Proxy - */ HttpsClient(SSLSocketFactory sf, URL url, Proxy proxy, int connectTimeout) throws IOException { @@ -268,37 +209,6 @@ final class HttpsClient extends HttpClient // This code largely ripped off from HttpClient.New, and // it uses the same keepalive cache. - static HttpClient New(SSLSocketFactory sf, URL url, HostnameVerifier hv, - HttpURLConnection httpuc) - throws IOException { - return HttpsClient.New(sf, url, hv, true, httpuc); - } - - /** See HttpClient for the model for this method. */ - static HttpClient New(SSLSocketFactory sf, URL url, - HostnameVerifier hv, boolean useCache, - HttpURLConnection httpuc) throws IOException { - return HttpsClient.New(sf, url, hv, (String)null, -1, useCache, httpuc); - } - - /** - * Get a HTTPS client to the URL. Traffic will be tunneled through - * the specified proxy server. - */ - static HttpClient New(SSLSocketFactory sf, URL url, HostnameVerifier hv, - String proxyHost, int proxyPort, - HttpURLConnection httpuc) throws IOException { - return HttpsClient.New(sf, url, hv, proxyHost, proxyPort, true, httpuc); - } - - static HttpClient New(SSLSocketFactory sf, URL url, HostnameVerifier hv, - String proxyHost, int proxyPort, boolean useCache, - HttpURLConnection httpuc) - throws IOException { - return HttpsClient.New(sf, url, hv, proxyHost, proxyPort, useCache, -1, - httpuc); - } - static HttpClient New(SSLSocketFactory sf, URL url, HostnameVerifier hv, String proxyHost, int proxyPort, boolean useCache, int connectTimeout, HttpURLConnection httpuc) @@ -379,15 +289,6 @@ final class HttpsClient extends HttpClient ret.authcache = httpuc.getAuthCache(); } } else { - @SuppressWarnings("removal") - SecurityManager security = System.getSecurityManager(); - if (security != null) { - if (ret.proxy == Proxy.NO_PROXY || ret.proxy == null) { - security.checkConnect(InetAddress.getByName(url.getHost()).getHostAddress(), url.getPort()); - } else { - security.checkConnect(url.getHost(), url.getPort()); - } - } ret.url = url; } ret.setHostnameVerifier(hv); @@ -395,22 +296,17 @@ final class HttpsClient extends HttpClient return ret; } - // METHODS - void setHostnameVerifier(HostnameVerifier hv) { + private void setHostnameVerifier(HostnameVerifier hv) { this.hv = hv; } - void setSSLSocketFactory(SSLSocketFactory sf) { + private void setSSLSocketFactory(SSLSocketFactory sf) { sslSocketFactory = sf; } - SSLSocketFactory getSSLSocketFactory() { - return sslSocketFactory; - } - /** * The following method, createSocket, is defined in NetworkClient - * and overridden here so that the socket facroty is used to create + * and overridden here so that the socket factory is used to create * new sockets. */ @Override diff --git a/src/java.base/unix/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java b/src/java.base/unix/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java index 8a2944081d5..c034cd4dcd7 100644 --- a/src/java.base/unix/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java +++ b/src/java.base/unix/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java @@ -35,7 +35,6 @@ import java.net.URL; import java.security.GeneralSecurityException; import java.util.Base64; import java.util.Locale; -import java.util.Objects; import java.util.Properties; import sun.net.www.HeaderParser; @@ -70,8 +69,7 @@ import sun.security.action.GetPropertyAction; * through a proxy, rather between client and proxy, or between client and server (with no proxy) */ -public class NTLMAuthentication extends AuthenticationInfo { - private static final long serialVersionUID = 170L; +public final class NTLMAuthentication extends AuthenticationInfo { private static final NTLMAuthenticationCallback NTLMAuthCallback = NTLMAuthenticationCallback.getNTLMAuthenticationCallback(); diff --git a/src/java.base/windows/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java b/src/java.base/windows/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java index d3b60daad74..a7056082e12 100644 --- a/src/java.base/windows/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java +++ b/src/java.base/windows/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,14 +31,11 @@ import java.net.PasswordAuthentication; import java.net.UnknownHostException; import java.net.URL; import java.util.Locale; -import java.util.Objects; -import java.util.Properties; import sun.net.NetProperties; import sun.net.www.HeaderParser; import sun.net.www.protocol.http.AuthenticationInfo; import sun.net.www.protocol.http.AuthScheme; import sun.net.www.protocol.http.HttpURLConnection; -import sun.security.action.GetPropertyAction; /** * NTLMAuthentication: @@ -46,14 +43,11 @@ import sun.security.action.GetPropertyAction; * @author Michael McMahon */ -public class NTLMAuthentication extends AuthenticationInfo { - - private static final long serialVersionUID = 100L; +public final class NTLMAuthentication extends AuthenticationInfo { private static final NTLMAuthenticationCallback NTLMAuthCallback = - NTLMAuthenticationCallback.getNTLMAuthenticationCallback(); + NTLMAuthenticationCallback.getNTLMAuthenticationCallback(); - private String hostname; /* Domain to use if not specified by user */ private static final String defaultDomain; /* Whether cache is enabled for NTLM */ @@ -68,18 +62,10 @@ public class NTLMAuthentication extends AuthenticationInfo { private static final TransparentAuth authMode; static { - Properties props = GetPropertyAction.privilegedGetProperties(); - defaultDomain = props.getProperty("http.auth.ntlm.domain", "domain"); - String ntlmCacheProp = props.getProperty("jdk.ntlm.cache", "true"); + defaultDomain = System.getProperty("http.auth.ntlm.domain", "domain"); + String ntlmCacheProp = System.getProperty("jdk.ntlm.cache", "true"); ntlmCache = Boolean.parseBoolean(ntlmCacheProp); - @SuppressWarnings("removal") - String modeProp = java.security.AccessController.doPrivileged( - new java.security.PrivilegedAction() { - public String run() { - return NetProperties.get("jdk.http.ntlm.transparentAuth"); - } - }); - + String modeProp = NetProperties.get("jdk.http.ntlm.transparentAuth"); if ("trustedHosts".equalsIgnoreCase(modeProp)) authMode = TransparentAuth.TRUSTED_HOSTS; else if ("allHosts".equalsIgnoreCase(modeProp)) @@ -88,27 +74,6 @@ public class NTLMAuthentication extends AuthenticationInfo { authMode = TransparentAuth.DISABLED; } - @SuppressWarnings("removal") - private void init0() { - - hostname = java.security.AccessController.doPrivileged( - new java.security.PrivilegedAction() { - public String run() { - String localhost; - try { - localhost = InetAddress.getLocalHost().getHostName().toUpperCase(Locale.ROOT); - } catch (UnknownHostException e) { - localhost = "localhost"; - } - return localhost; - } - }); - int x = hostname.indexOf ('.'); - if (x != -1) { - hostname = hostname.substring (0, x); - } - } - String username; String ntdomain; String password; @@ -147,7 +112,6 @@ public class NTLMAuthentication extends AuthenticationInfo { ntdomain = null; password = null; } - init0(); } /**