java/117436: JVM ignores $JAVA_HOME/jre/lib/security/java.security

Nick Johnson freebsd at spatula.net
Tue Oct 23 17:50:02 PDT 2007 

>Number:         117436
>Category:       java
>Synopsis:       JVM ignores $JAVA_HOME/jre/lib/security/java.security
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-java
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 24 00:50:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Nick Johnson
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
morons.org 
>Environment:
System: FreeBSD turing.morons.org 6.2-STABLE FreeBSD 6.2-STABLE #0: Sun Jan 21 16:53:54 PST 2007 root at turing.morons.org:/usr/src/sys/i386/compile/TURING i386

java version "1.5.0_13-p7"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_13-p7-root_23_oct_2007_13_48)
Java HotSpot(TM) Client VM (build 1.5.0_13-p7-root_23_oct_2007_13_48, mixed mode)


	
>Description:

>                 >                  >                   >                   >
The FreeBSD JDK does not process $JAVA_HOME/jre/lib/security/java.security,
so any security customizations made by an administrator will be ignored by
the JVM; everything will get the compile-time defaults.  One common way this
manifests is by InetAddress caching everything forever, despite attempting
to configure its caching behaviour. 

	
>How-To-Repeat:
Save this code as Test.java, compile it, and run it with truss.  Grep the
output and observe that java.security is never stat'ed or open'ed.

[snip]

import java.net.*;

public class Test {
        public static void main(String[] args) throws Exception {
                InetAddress address = InetAddress.getByName("freebsd.org");
                System.out.println(address);
        }
}

[snip]

On other architectures, including Linux and Windows, executing the Test 
program will result in a read of java.security.

	
>Fix:

Unknown at this time.

One way (albeit very ugly) to get around the InetAddress caching problem
is to edit j2se/src/share/classes/java/net/InetAddress.java and change
these lines:

    private static Cache addressCache =
        new Cache(InetAddressCachePolicy.get());

    private static Cache negativeCache =
        new Cache(InetAddressCachePolicy.getNegative());


to read:


    private static Cache addressCache =
        new Cache(InetAddressCachePolicy.NEVER);

    private static Cache negativeCache =
        new Cache(InetAddressCachePolicy.NEVER);

and then recompile.

	


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-java mailing list