Date: Tue, 23 Oct 2007 17:17:02 -0700 (PDT) From: Nick Johnson <freebsd@spatula.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: java/117436: JVM ignores $JAVA_HOME/jre/lib/security/java.security Message-ID: <20071024001702.EEDF217121@turing.morons.org> Resent-Message-ID: <200710240050.l9O0o11Z006138@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 117436
>Category: java
>Synopsis: JVM ignores $JAVA_HOME/jre/lib/security/java.security
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-java
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Oct 24 00:50:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator: Nick Johnson
>Release: FreeBSD 6.2-STABLE i386
>Organization:
morons.org
>Environment:
System: FreeBSD turing.morons.org 6.2-STABLE FreeBSD 6.2-STABLE #0: Sun Jan 21 16:53:54 PST 2007 root@turing.morons.org:/usr/src/sys/i386/compile/TURING i386
java version "1.5.0_13-p7"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_13-p7-root_23_oct_2007_13_48)
Java HotSpot(TM) Client VM (build 1.5.0_13-p7-root_23_oct_2007_13_48, mixed mode)
>Description:
> > > > >
The FreeBSD JDK does not process $JAVA_HOME/jre/lib/security/java.security,
so any security customizations made by an administrator will be ignored by
the JVM; everything will get the compile-time defaults. One common way this
manifests is by InetAddress caching everything forever, despite attempting
to configure its caching behaviour.
>How-To-Repeat:
Save this code as Test.java, compile it, and run it with truss. Grep the
output and observe that java.security is never stat'ed or open'ed.
[snip]
import java.net.*;
public class Test {
public static void main(String[] args) throws Exception {
InetAddress address = InetAddress.getByName("freebsd.org");
System.out.println(address);
}
}
[snip]
On other architectures, including Linux and Windows, executing the Test
program will result in a read of java.security.
>Fix:
Unknown at this time.
One way (albeit very ugly) to get around the InetAddress caching problem
is to edit j2se/src/share/classes/java/net/InetAddress.java and change
these lines:
private static Cache addressCache =
new Cache(InetAddressCachePolicy.get());
private static Cache negativeCache =
new Cache(InetAddressCachePolicy.getNegative());
to read:
private static Cache addressCache =
new Cache(InetAddressCachePolicy.NEVER);
private static Cache negativeCache =
new Cache(InetAddressCachePolicy.NEVER);
and then recompile.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071024001702.EEDF217121>