diff --git a/src/share/classes/java/net/HttpURLConnection.java b/src/share/classes/java/net/HttpURLConnection.java
index d52c26789faa4bd8763f992f248cadb8e661d846..193b9cef1c1d89b7c867e9de913b5d49b631feba 100644
--- a/src/share/classes/java/net/HttpURLConnection.java
+++ b/src/share/classes/java/net/HttpURLConnection.java
@@ -50,6 +50,18 @@ import java.util.Date;
  * <a href="doc-files/net-properties.html#Proxies">Proxy settings</a> as well as
  * <a href="doc-files/net-properties.html#MiscHTTP"> various other settings</a>.
  * </P>
+ * <p>
+ * <b>Security permissions</b>
+ * <p>
+ * If a security manager is installed, and if a method is called which results in an
+ * attempt to open a connection, the caller must possess either:-
+ * <ul><li>a "connect" {@link SocketPermission} to the host/port combination of the
+ * destination URL or</li>
+ * <li>a {@link HttpURLPermission} that permits this request.</li>
+ * </ul><p>
+ * If automatic redirection is enabled, and this request is redirected to another
+ * destination, then the caller must also have permission to connect to the
+ * redirected host/URL.
  *
  * @see     java.net.HttpURLConnection#disconnect()
  * @since JDK1.1
diff --git a/src/share/classes/java/net/HttpURLPermission.java b/src/share/classes/java/net/HttpURLPermission.java
new file mode 100644
index 0000000000000000000000000000000000000000..52d6e79344a776ad15b70a0b738e3ba29dd266c3
--- /dev/null
+++ b/src/share/classes/java/net/HttpURLPermission.java
@@ -0,0 +1,406 @@
+/*
+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package java.net;
+
+import java.io.ObjectInputStream;
+import java.io.IOException;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.security.Permission;
+
+/**
+ * Represents permission to access a resource or set of resources defined by a
+ * given http or https url, and for a given set of user-settable request methods
+ * and request headers. The <i>name</i> of the permission is the url string.
+ * The <i>actions</i> string is a concatenation of the request methods and headers.
+ * The range of method and header names is not restricted by this class.
+ * <p><b>The url</b><p>
+ * The url string is also used to instantiate a {@link URI} object which is
+ * used for comparison with other HttpURLPermission instances. Therefore, any
+ * references in this specification to url, mean this URI object.
+ * The path component of the url comprises a sequence of path segments, separated
+ * by '/' characters. The path is specified in a similar way to the path
+ * in {@link java.io.FilePermission}. There are three different ways
+ * as the following examples show:
+ * <table border>
+ * <tr><th>Example url</th><th>Description</th></tr>
+ * <tr><td style="white-space:nowrap;">http://www.oracle.com/a/b/c.html</td>
+ *   <td>A url which identifies a specific (single) resource</td>
+ * </tr>
+ * <tr><td>http://www.oracle.com/a/b/*</td>
+ *   <td>The '*' character refers to all resources in the same "directory" - in
+ *       other words all resources with the same number of path components, and
+ *       which only differ in the final path component, represented by the '*'.
+ *   </td>
+ * </tr>
+ * <tr><td>http://www.oracle.com/a/b/-</li>
+ *   <td>The '-' character refers to all resources recursively below the
+ *       preceding path (eg. http://www.oracle.com/a/b/c/d/e.html matches this
+ *       example).
+ *   </td>
+ * </tr>
+ * </table>
+ * <p>
+ * The '*' and '-' may only be specified in the final segment of a path and must be
+ * the only character in that segment. Any query or fragment components of the
+ * url are ignored when constructing HttpURLPermissions.
+ * <p>
+ * As a special case, urls of the form, "http:*" or "https:*" are accepted to
+ * mean any url of the given scheme.
+ * <p><b>The actions string</b><p>
+ * The actions string of a HttpURLPermission is a concatenation of the <i>method list</i>
+ * and the <i>request headers list</i>. These are lists of the permitted HTTP request
+ * methods and permitted request headers of the permission (respectively). The two lists
+ * are separated by a colon ':' character and elements of each list are comma separated.
+ * Some examples are:
+ * <pre>
+ *         "POST,GET,DELETE"
+ *         "GET:X-Foo-Request,X-Bar-Request"
+ *         "POST,GET:Header1,Header2"
+ * </pre>
+ * The first example specifies the methods: POST, GET and DELETE, but no request headers.
+ * The second example specifies one request method and two headers. The third
+ * example specifies two request methods, and two headers.
+ * <p>
+ * The colon separator need not be present if the request headers list is empty.
+ * No white-space is permitted in the actions string. The action strings supplied to
+ * the HttpURLPermission constructors are case-insensitive and are normalized by converting
+ * method names to upper-case and header names to the form defines in RFC2616 (lower case
+ * with initial letter of each word capitalized). Either list can contain a wild-card '*'
+ * character which signifies all request methods or headers respectively.
+ * <p>
+ * Note. Depending on the context of use, some request methods and headers may be permitted
+ * at all times, and others may not be permitted at any time. For example, the
+ * HTTP protocol handler might disallow certain headers such as Content-Length
+ * from being set by application code, regardless of whether the security policy
+ * in force, permits it.
+ *
+ * @since 1.8
+ */
+public final class HttpURLPermission extends Permission {
+
+    private static final long serialVersionUID = -2702463814894478682L;
+
+    private transient URI uri;
+    private transient List<String> methods;
+    private transient List<String> requestHeaders;
+
+    // serialized field
+    private String actions;
+
+    /**
+     * Creates a new HttpURLPermission from a url string and which permits the given
+     * request methods and user-settable request headers.
+     * The name of the permission is its url string. Only the scheme, authority
+     * and path components of the url are used. Any fragment or query
+     * components are ignored. The permissions action string is as specified above.
+     *
+     * @param url the url string
+     *
+     * @param actions the actions string
+     *
+     * @throws    IllegalArgumentException if url does not result in a valid {@link URI},
+     *            its scheme is not http or https, or if actions contains white-space.
+     */
+    public HttpURLPermission(String url, String actions) {
+        super(url);
+        init(actions);
+    }
+
+    private void init(String actions) {
+        URI uri = parseURI(getName());
+        int colon = actions.indexOf(':');
+        if (actions.lastIndexOf(':') != colon) {
+            throw new IllegalArgumentException("invalid actions string");
+        }
+
+        String methods, headers;
+        if (colon == -1) {
+            methods = actions;
+            headers = "";
+        } else {
+            methods = actions.substring(0, colon);
+            headers = actions.substring(colon+1);
+        }
+
+        List<String> l = normalizeMethods(methods);
+        Collections.sort(l);
+        this.methods = Collections.unmodifiableList(l);
+
+        l = normalizeHeaders(headers);
+        Collections.sort(l);
+        this.requestHeaders = Collections.unmodifiableList(l);
+
+        this.actions = actions();
+        this.uri = uri;
+    }
+
+    /**
+     * Creates a HttpURLPermission with the given url string and unrestricted
+     * methods and request headers by invoking the two argument
+     * constructor as follows: HttpURLPermission(url, "*:*")
+     *
+     * @throws    IllegalArgumentException if url does not result in a valid {@link URI}
+     */
+    public HttpURLPermission(String url) {
+        this(url, "*:*");
+    }
+
+    /**
+     * Returns the normalized method list and request
+     * header list, in the form:
+     * <pre>
+     *      "method-names : header-names"
+     * </pre>
+     * <p>
+     * where method-names is the list of methods separated by commas
+     * and header-names is the list of permitted headers separated by commas.
+     * There is no white space in the returned String. If header-names is empty
+     * then the colon separator will not be present.
+     */
+    public String getActions() {
+        return actions;
+    }
+
+    /**
+     * Checks if this HttpURLPermission implies the given permission.
+     * Specifically, the following checks are done as if in the
+     * following sequence:
+     * <p><ul>
+     * <li>if 'p' is not an instance of HttpURLPermission return false</li>
+     * <li>if any of p's methods are not in this's method list, and if
+     *     this's method list is not equal to "*", then return false.</li>
+     * <li>if any of p's headers are not in this's request header list, and if
+     *     this's request header list is not equal to "*", then return false.</li>
+     * <li>if this's url is equal to p's url , then return true</li>
+     * <li>if this's url scheme is not equal to p's url scheme return false</li>
+     * <li>if the scheme specific part of this's url is '*' return true</li>
+     * <li>if this's url authority is not equal to p's url authority
+     *     return false</li>
+     * <li>if the path or paths specified by p's url are contained in the
+     *     set of paths specified by this's url, then return true
+     * <li>otherwise, return false</li>
+     * </ol>
+     * <p>
+     * Some examples of how paths are matched are shown below:
+     * <p>
+     * <table border>
+     * <tr><th>this's path</th><th>p's path</th><th>match</th></tr>
+     * <tr><td>/a/b</td><td>/a/b</td><td>yes</td></tr>
+     * <tr><td>/a/b/*</td><td>/a/b/c</td><td>yes</td></tr>
+     * <tr><td>/a/b/*</td><td>/a/b/c/d</td><td>no</td></tr>
+     * <tr><td>/a/b/-</td><td>/a/b/c/d</td><td>yes</td></tr>
+     * <tr><td>/a/b/-</td><td>/a/b/c/d/e</td><td>yes</td></tr>
+     * <tr><td>/a/b/-</td><td>/a/b/c/*</td><td>yes</td></tr>
+     * <tr><td>/a/b/*</td><td>/a/b/c/-</td><td>no</td></tr>
+     * </table>
+     */
+    public boolean implies(Permission p) {
+        if (! (p instanceof HttpURLPermission)) {
+            return false;
+        }
+
+        HttpURLPermission that = (HttpURLPermission)p;
+
+        if (!this.methods.get(0).equals("*") &&
+                Collections.indexOfSubList(this.methods, that.methods) == -1) {
+            return false;
+        }
+
+        if (this.requestHeaders.isEmpty() && !that.requestHeaders.isEmpty()) {
+            return false;
+        }
+
+        if (!this.requestHeaders.isEmpty() &&
+            !this.requestHeaders.get(0).equals("*") &&
+             Collections.indexOfSubList(this.requestHeaders,
+                                        that.requestHeaders) == -1) {
+            return false;
+        }
+
+        if (this.uri.equals(that.uri)) {
+            return true;
+        }
+
+        if (!this.uri.getScheme().equals(that.uri.getScheme())) {
+            return false;
+        }
+
+        if (this.uri.getSchemeSpecificPart().equals("*")) {
+            return true;
+        }
+
+        String thisAuthority = this.uri.getAuthority();
+
+            if (thisAuthority != null &&
+                    !thisAuthority.equals(that.uri.getAuthority())) {
+            return false;
+        }
+
+        String thispath = this.uri.getPath();
+        String thatpath = that.uri.getPath();
+
+        if (thispath.endsWith("/-")) {
+            String thisprefix = thispath.substring(0, thispath.length() - 1);
+            return thatpath.startsWith(thisprefix);
+            }
+
+        if (thispath.endsWith("/*")) {
+            String thisprefix = thispath.substring(0, thispath.length() - 1);
+            if (!thatpath.startsWith(thisprefix)) {
+                return false;
+            }
+            String thatsuffix = thatpath.substring(thisprefix.length());
+            // suffix must not contain '/' chars
+            if (thatsuffix.indexOf('/') != -1) {
+                return false;
+            }
+            if (thatsuffix.equals("-")) {
+                return false;
+            }
+            return true;
+        }
+        return false;
+    }
+
+
+    /**
+     * Returns true if, this.getActions().equals(p.getActions())
+     * and p's url equals this's url.  Returns false otherwise.
+     */
+    public boolean equals(Object p) {
+        if (!(p instanceof HttpURLPermission)) {
+            return false;
+        }
+        HttpURLPermission that = (HttpURLPermission)p;
+        return this.getActions().equals(that.getActions()) &&
+                  this.uri.equals(that.uri);
+    }
+
+    /**
+     * Returns a hashcode calculated from the hashcode of the
+     * actions String and the url
+     */
+    public int hashCode() {
+        return getActions().hashCode() + uri.hashCode();
+    }
+
+
+    private List<String> normalizeMethods(String methods) {
+        List<String> l = new ArrayList<>();
+        StringBuilder b = new StringBuilder();
+        for (int i=0; i<methods.length(); i++) {
+            char c = methods.charAt(i);
+            if (c == ',') {
+                String s = b.toString();
+                if (s.length() > 0)
+                    l.add(s);
+                b = new StringBuilder();
+            } else if (c == ' ' || c == '\t') {
+                throw new IllegalArgumentException("white space not allowed");
+            } else {
+                if (c >= 'a' && c <= 'z') {
+                    c += 'A' - 'a';
+                }
+                b.append(c);
+            }
+        }
+        String s = b.toString();
+        if (s.length() > 0)
+            l.add(s);
+        return l;
+    }
+
+    private List<String> normalizeHeaders(String headers) {
+        List<String> l = new ArrayList<>();
+        StringBuilder b = new StringBuilder();
+        boolean capitalizeNext = true;
+        for (int i=0; i<headers.length(); i++) {
+            char c = headers.charAt(i);
+            if (c >= 'a' && c <= 'z') {
+                if (capitalizeNext) {
+                    c += 'A' - 'a';
+                    capitalizeNext = false;
+                }
+                b.append(c);
+            } else if (c == ' ' || c == '\t') {
+                throw new IllegalArgumentException("white space not allowed");
+            } else if (c == '-') {
+                    capitalizeNext = true;
+                b.append(c);
+            } else if (c == ',') {
+                String s = b.toString();
+                if (s.length() > 0)
+                    l.add(s);
+                b = new StringBuilder();
+                capitalizeNext = true;
+            } else {
+                capitalizeNext = false;
+                b.append(c);
+            }
+        }
+        String s = b.toString();
+        if (s.length() > 0)
+            l.add(s);
+        return l;
+    }
+
+    private URI parseURI(String url) {
+        URI u = URI.create(url);
+        String scheme = u.getScheme();
+        if (!(scheme.equalsIgnoreCase("http") ||
+             scheme.equalsIgnoreCase("https"))) {
+            throw new IllegalArgumentException ("unexpected URL scheme");
+        }
+        if (!u.getSchemeSpecificPart().equals("*")) {
+            u = URI.create(scheme + "://" + u.getAuthority() + u.getPath());
+        }
+        return u;
+    }
+
+    private String actions() {
+        StringBuilder b = new StringBuilder();
+        for (String s : methods) {
+            b.append(s);
+        }
+        b.append(":");
+        for (String s : requestHeaders) {
+            b.append(s);
+        }
+        return b.toString();
+    }
+    /**
+     * restore the state of this object from stream
+     */
+    private void readObject(ObjectInputStream s)
+        throws IOException, ClassNotFoundException {
+        ObjectInputStream.GetField fields = s.readFields();
+        String actions = (String)fields.get("actions", null);
+
+        init(actions);
+    }
+}
diff --git a/src/share/classes/sun/net/www/MessageHeader.java b/src/share/classes/sun/net/www/MessageHeader.java
index 3a46def13b3afa32d9b10594aba332e9fd656851..d6982b659e2376e518a95804b65c311569e8676f 100644
--- a/src/share/classes/sun/net/www/MessageHeader.java
+++ b/src/share/classes/sun/net/www/MessageHeader.java
@@ -31,12 +31,7 @@ package sun.net.www;
 
 import java.io.*;
 import java.util.Collections;
-import java.util.Map;
-import java.util.HashMap;
-import java.util.List;
-import java.util.ArrayList;
-import java.util.Iterator;
-import java.util.NoSuchElementException;
+import java.util.*;
 
 /** An RFC 844 or MIME message header.  Includes methods
     for parsing headers from incoming streams, fetching
@@ -59,6 +54,17 @@ class MessageHeader {
         parseHeader(is);
     }
 
+    /**
+     * Returns list of header names in a comma separated list
+     */
+    public synchronized String getHeaderNamesInList() {
+        StringJoiner joiner = new StringJoiner(",");
+        for (int i=0; i<nkeys; i++) {
+            joiner.add(keys[i]);
+        }
+        return joiner.toString();
+    }
+
     /**
      * Reset a message header (all key/values removed)
      */
diff --git a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
index 780e595da0b4fd387099f608c4c737326038ea4a..41a14df59eafbb0784cd5f5b0b7d7688d6ed4e35 100644
--- a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
+++ b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
@@ -36,6 +36,7 @@ import java.net.HttpCookie;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
 import java.net.SocketTimeoutException;
+import java.net.SocketPermission;
 import java.net.Proxy;
 import java.net.ProxySelector;
 import java.net.URI;
@@ -45,8 +46,13 @@ import java.net.ResponseCache;
 import java.net.CacheResponse;
 import java.net.SecureCacheResponse;
 import java.net.CacheRequest;
+import java.net.HttpURLPermission;
 import java.net.Authenticator.RequestorType;
+import java.security.AccessController;
+import java.security.PrivilegedExceptionAction;
+import java.security.PrivilegedActionException;
 import java.io.*;
+import java.net.*;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Date;
@@ -303,6 +309,19 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
      */
     private MessageHeader requests;
 
+    /* The headers actually set by the user are recorded here also
+     */
+    private MessageHeader userHeaders;
+
+    /* Headers and request method cannot be changed
+     * once this flag is set in :-
+     *     - getOutputStream()
+     *     - getInputStream())
+     *     - connect()
+     * Access synchronized on this.
+     */
+    private boolean connecting = false;
+
     /* The following two fields are only used with Digest Authentication */
     String domain;      /* The list of authentication domains */
     DigestAuthentication.Parameters digestparams;
@@ -370,6 +389,9 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
     private int connectTimeout = NetworkClient.DEFAULT_CONNECT_TIMEOUT;
     private int readTimeout = NetworkClient.DEFAULT_READ_TIMEOUT;
 
+    /* A permission converted from a HttpURLPermission */
+    private SocketPermission socketPermission;
+
     /* Logging support */
     private static final PlatformLogger logger =
             PlatformLogger.getLogger("sun.net.www.protocol.http.HttpURLConnection");
@@ -487,6 +509,14 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
         }
     }
 
+    public synchronized void setRequestMethod(String method)
+                        throws ProtocolException {
+        if (connecting) {
+            throw new IllegalStateException("connect in progress");
+        }
+        super.setRequestMethod(method);
+    }
+
     /* adds the standard key/val pairs to reqests if necessary & write to
      * given PrintStream
      */
@@ -729,6 +759,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
         super(u);
         requests = new MessageHeader();
         responses = new MessageHeader();
+        userHeaders = new MessageHeader();
         this.handler = handler;
         instProxy = p;
         if (instProxy instanceof sun.net.ApplicationProxy) {
@@ -849,6 +880,9 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
     // overridden in HTTPS subclass
 
     public void connect() throws IOException {
+        synchronized (this) {
+            connecting = true;
+        }
         plainConnect();
     }
 
@@ -867,10 +901,86 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
         return false;
     }
 
+    private String getHostAndPort(URL url) {
+        String host = url.getHost();
+        int port = url.getPort();
+        if (port == -1) {
+            String scheme = url.getProtocol();
+            if ("http".equals(scheme)) {
+                return host + ":80";
+            } else { // scheme must be https
+                return host + ":443";
+            }
+        }
+        return host + ":" + Integer.toString(port);
+    }
+
     protected void plainConnect()  throws IOException {
-        if (connected) {
-            return;
+        synchronized (this) {
+            if (connected) {
+                return;
+            }
         }
+        SocketPermission p = URLtoSocketPermission(this.url);
+        if (p != null) {
+            try {
+                AccessController.doPrivileged(
+                    new PrivilegedExceptionAction<Void>() {
+                        public Void run() throws IOException {
+                            plainConnect0();
+                            return null;
+                        }
+                    }
+//                    }, null, p -- replace line above, when limited doPriv ready
+                );
+            } catch (PrivilegedActionException e) {
+                    throw (IOException) e.getException();
+            }
+        } else {
+            // run without additional permission
+            plainConnect0();
+        }
+    }
+
+    /**
+     *  if the caller has a HttpURLPermission for connecting to the
+     *  given URL, then return a SocketPermission which permits
+     *  access to that destination. Return null otherwise. The permission
+     *  is cached in a field (which can only be changed by redirects)
+     */
+    SocketPermission URLtoSocketPermission(URL url) throws IOException {
+
+        if (socketPermission != null) {
+            return socketPermission;
+        }
+
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm == null) {
+            return null;
+        }
+
+        // the permission, which we might grant
+
+        SocketPermission newPerm = new SocketPermission(
+            getHostAndPort(url), "connect"
+        );
+
+        String actions = getRequestMethod()+":" +
+                getUserSetHeaders().getHeaderNamesInList();
+
+        HttpURLPermission p = new HttpURLPermission(url.toString(), actions);
+        try {
+            sm.checkPermission(p);
+            socketPermission = newPerm;
+            return socketPermission;
+        } catch (SecurityException e) {
+            // fall thru
+        }
+        return null;
+    }
+
+    protected void plainConnect0()  throws IOException {
         // try to see if request can be served from local cache
         if (cacheHandler != null && getUseCaches()) {
             try {
@@ -1068,7 +1178,28 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
 
     @Override
     public synchronized OutputStream getOutputStream() throws IOException {
+        connecting = true;
+        SocketPermission p = URLtoSocketPermission(this.url);
 
+        if (p != null) {
+            try {
+                return AccessController.doPrivileged(
+                    new PrivilegedExceptionAction<OutputStream>() {
+                        public OutputStream run() throws IOException {
+                            return getOutputStream0();
+                        }
+                    }
+//                    }, null, p -- replace line above, when limited doPriv ready
+                );
+            } catch (PrivilegedActionException e) {
+                throw (IOException) e.getException();
+            }
+        } else {
+            return getOutputStream0();
+        }
+    }
+
+    private synchronized OutputStream getOutputStream0() throws IOException {
         try {
             if (!doOutput) {
                 throw new ProtocolException("cannot write to a URLConnection"
@@ -1231,8 +1362,30 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
     }
 
     @Override
-    @SuppressWarnings("empty-statement")
     public synchronized InputStream getInputStream() throws IOException {
+        connecting = true;
+        SocketPermission p = URLtoSocketPermission(this.url);
+
+        if (p != null) {
+            try {
+                return AccessController.doPrivileged(
+                    new PrivilegedExceptionAction<InputStream>() {
+                        public InputStream run() throws IOException {
+                            return getInputStream0();
+                        }
+                    }
+//                    }, null, p -- replace line above, when limited doPriv ready
+                );
+            } catch (PrivilegedActionException e) {
+                throw (IOException) e.getException();
+            }
+        } else {
+            return getInputStream0();
+        }
+    }
+
+    @SuppressWarnings("empty-statement")
+    private synchronized InputStream getInputStream0() throws IOException {
 
         if (!doInput) {
             throw new ProtocolException("Cannot read from URLConnection"
@@ -2319,18 +2472,19 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
             return false;
         }
 
-        int stat = getResponseCode();
+        final int stat = getResponseCode();
         if (stat < 300 || stat > 307 || stat == 306
                                 || stat == HTTP_NOT_MODIFIED) {
             return false;
         }
-        String loc = getHeaderField("Location");
+        final String loc = getHeaderField("Location");
         if (loc == null) {
             /* this should be present - if not, we have no choice
              * but to go forward w/ the response we got
              */
             return false;
         }
+
         URL locUrl;
         try {
             locUrl = new URL(loc);
@@ -2342,6 +2496,38 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
           // treat loc as a relative URI to conform to popular browsers
           locUrl = new URL(url, loc);
         }
+
+        final URL locUrl0 = locUrl;
+        socketPermission = null; // force recalculation
+        SocketPermission p = URLtoSocketPermission(locUrl);
+
+        if (p != null) {
+            try {
+                return AccessController.doPrivileged(
+                    new PrivilegedExceptionAction<Boolean>() {
+                        public Boolean run() throws IOException {
+                            return followRedirect0(loc, stat, locUrl0);
+                        }
+                    }
+//                    }, null, p -- replace line above, when limited doPriv ready
+                );
+            } catch (PrivilegedActionException e) {
+                throw (IOException) e.getException();
+            }
+        } else {
+            // run without additional permission
+            return followRedirect0(loc, stat, locUrl);
+        }
+    }
+
+    /* Tells us whether to follow a redirect.  If so, it
+     * closes the connection (break any keep-alive) and
+     * resets the url, re-connects, and resets the request
+     * property.
+     */
+    private boolean followRedirect0(String loc, int stat, URL locUrl)
+        throws IOException
+    {
         disconnectInternal();
         if (streaming()) {
             throw new HttpRetryException (RETRY_MSG3, stat, loc);
@@ -2753,17 +2939,24 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
      * @param value the value to be set
      */
     @Override
-    public void setRequestProperty(String key, String value) {
-        if (connected)
+    public synchronized void setRequestProperty(String key, String value) {
+        if (connected || connecting)
             throw new IllegalStateException("Already connected");
         if (key == null)
             throw new NullPointerException ("key is null");
 
         if (isExternalMessageHeaderAllowed(key, value)) {
             requests.set(key, value);
+            if (!key.equalsIgnoreCase("Content-Type")) {
+                userHeaders.set(key, value);
+            }
         }
     }
 
+    MessageHeader getUserSetHeaders() {
+        return userHeaders;
+    }
+
     /**
      * Adds a general request property specified by a
      * key-value pair.  This method will not overwrite
@@ -2776,14 +2969,17 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
      * @since 1.4
      */
     @Override
-    public void addRequestProperty(String key, String value) {
-        if (connected)
+    public synchronized void addRequestProperty(String key, String value) {
+        if (connected || connecting)
             throw new IllegalStateException("Already connected");
         if (key == null)
             throw new NullPointerException ("key is null");
 
         if (isExternalMessageHeaderAllowed(key, value)) {
             requests.add(key, value);
+            if (!key.equalsIgnoreCase("Content-Type")) {
+                    userHeaders.add(key, value);
+            }
         }
     }
 
diff --git a/test/java/net/HttpURLPermission/HttpURLPermissionTest.java b/test/java/net/HttpURLPermission/HttpURLPermissionTest.java
new file mode 100644
index 0000000000000000000000000000000000000000..c2debe7a0bd512cf0dcde7d94f4f496236833761
--- /dev/null
+++ b/test/java/net/HttpURLPermission/HttpURLPermissionTest.java
@@ -0,0 +1,203 @@
+/*
+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.net.HttpURLPermission;
+import java.io.*;
+
+/**
+ * @test
+ * @bug 8010464
+ */
+
+public class HttpURLPermissionTest {
+
+    // super class for all test types
+    abstract static class Test {
+        boolean expected;
+        abstract boolean execute();
+    };
+
+    // Tests URL part of implies() method. This is the main test.
+    static class URLImpliesTest extends Test {
+        String arg1, arg2;
+
+        URLImpliesTest(String arg1, String arg2, boolean expected) {
+            this.arg1 = arg1;
+            this.arg2 = arg2;
+            this.expected = expected;
+        }
+
+          boolean execute() {
+            HttpURLPermission p1 = new HttpURLPermission (arg1, "GET:*");
+            HttpURLPermission p2 = new HttpURLPermission (arg2, "GET:*");
+            boolean result = p1.implies(p2);
+            return result == expected;
+        }
+    };
+
+    static URLImpliesTest imtest(String arg1, String arg2, boolean expected) {
+        return new URLImpliesTest(arg1, arg2, expected);
+    }
+
+    static class ActionImpliesTest extends Test {
+        String arg1, arg2;
+
+        ActionImpliesTest(String arg1, String arg2, boolean expected) {
+            this.arg1 = arg1;
+            this.arg2 = arg2;
+            this.expected = expected;
+        }
+
+          boolean execute() {
+            String url1 = "http://www.foo.com/-";
+            String url2 = "http://www.foo.com/a/b";
+            HttpURLPermission p1 = new HttpURLPermission(url1, arg1);
+            HttpURLPermission p2 = new HttpURLPermission(url2, arg2);
+            boolean result = p1.implies(p2);
+            return result == expected;
+        }
+    }
+
+    static ActionImpliesTest actest(String arg1, String arg2, boolean expected) {
+        return new ActionImpliesTest(arg1, arg2, expected);
+    }
+
+    static Test[] pathImplies = {
+        // single
+        imtest("http://www.foo.com/", "http://www.foo.com/", true),
+        imtest("http://www.bar.com/", "http://www.foo.com/", false),
+        imtest("http://www.foo.com/a/b", "http://www.foo.com/", false),
+        imtest("http://www.foo.com/a/b", "http://www.foo.com/a/b/c", false),
+        // wildcard
+        imtest("http://www.foo.com/a/b/*", "http://www.foo.com/a/b/c", true),
+        imtest("http://www.foo.com/a/b/*", "http://www.foo.com/a/b/*", true),
+        imtest("http://www.foo.com/a/b/*", "http://www.foo.com/a/b/c#frag", true),
+        imtest("http://www.foo.com/a/b/*", "http://www.foo.com/a/b/c#frag?foo=foo", true),
+        imtest("http://www.foo.com/a/b/*", "http://www.foo.com/b/b/c", false),
+        imtest("http://www.foo.com/a/b/*", "http://www.foo.com/a/b/c.html", true),
+        imtest("http://www.foo.com/a/b/*", "http://www.foo.com/a/b/c.html", true),
+        imtest("http://www.foo.com/a/b/*", "https://www.foo.com/a/b/c", false),
+        // recursive
+        imtest("http://www.foo.com/a/b/-", "http://www.foo.com/a/b/-", true),
+        imtest("http://www.foo.com/a/b/-", "http://www.foo.com/a/b/c", true),
+        imtest("http://www.foo.com/a/b/-", "http://www.foo.com/a/b/c#frag", true),
+        imtest("http://www.foo.com/a/b/-", "http://www.foo.com/a/b/c#frag?foo=foo", true),
+        imtest("http://www.foo.com/a/b/-", "http://www.foo.com/b/b/c", false),
+        imtest("http://www.foo.com/a/b/-", "http://www.foo.com/a/b/c.html", true),
+        imtest("http://www.foo.com/a/b/-", "http://www.foo.com/a/b/c.html", true),
+        imtest("http://www.foo.com/a/b/-", "http://www.foo.com/a/b/c/d/e.html", true),
+        imtest("https://www.foo.com/a/b/-", "http://www.foo.com/a/b/c/d/e.html", false),
+        imtest("http://www.foo.com/a/b/-", "http://www.foo.com/a/b/c/d/e#frag", true),
+        imtest("http://www.foo.com/a/b/-", "https://www.foo.com/a/b/c", false),
+        // special cases
+        imtest("http:*", "https://www.foo.com/a/b/c", false),
+        imtest("http:*", "http://www.foo.com/a/b/c", true),
+        imtest("http:*", "http://foo/bar", true),
+        imtest("http://foo/bar", "https://foo/bar", false)
+    };
+
+    static Test[] actionImplies = {
+        actest("GET", "GET", true),
+        actest("GET", "POST", false),
+        actest("GET:", "PUT", false),
+        actest("GET:", "GET", true),
+        actest("GET,POST", "GET", true),
+        actest("GET,POST:", "GET", true),
+        actest("GET:X-Foo", "GET:x-foo", true),
+        actest("GET:X-Foo,X-bar", "GET:x-foo", true),
+        actest("GET:X-Foo", "GET:x-boo", false),
+        actest("GET:X-Foo,X-Bar", "GET:x-bar,x-foo", true),
+        actest("GET:X-Bar,X-Foo,X-Bar,Y-Foo", "GET:x-bar,x-foo", true),
+        actest("GET:*", "GET:x-bar,x-foo", true),
+        actest("*:*", "GET:x-bar,x-foo", true)
+    };
+
+    static boolean failed = false;
+
+    public static void main(String args[]) throws Exception {
+        for (int i=0; i<pathImplies.length ; i++) {
+            URLImpliesTest test = (URLImpliesTest)pathImplies[i];
+            Exception caught = null;
+            boolean result = false;
+            try {
+                result = test.execute();
+            } catch (Exception e) {
+                caught = e;
+                e.printStackTrace();
+            }
+            if (!result) {
+                failed = true;
+                System.out.println ("test failed: " + test.arg1 + ": " +
+                        test.arg2 + " Exception: " + caught);
+            }
+            System.out.println ("path test " + i + " OK");
+
+        }
+        for (int i=0; i<actionImplies.length ; i++) {
+            ActionImpliesTest test = (ActionImpliesTest)actionImplies[i];
+            Exception caught = null;
+            boolean result = false;
+            try {
+                result = test.execute();
+            } catch (Exception e) {
+                caught = e;
+                e.printStackTrace();
+            }
+            if (!result) {
+                failed = true;
+                System.out.println ("test failed: " + test.arg1 + ": " +
+                        test.arg2 + " Exception: " + caught);
+            }
+            System.out.println ("action test " + i + " OK");
+        }
+
+        serializationTest("http://www.foo.com/-", "GET,DELETE:*");
+        serializationTest("https://www.foo.com/-", "POST:X-Foo");
+        serializationTest("https:*", "*:*");
+        serializationTest("http://www.foo.com/a/b/s/", "POST:X-Foo");
+        serializationTest("http://www.foo.com/a/b/s/*", "POST:X-Foo");
+
+        if (failed) {
+            throw new RuntimeException("some tests failed");
+        }
+
+    }
+
+    static void serializationTest(String name, String actions)
+        throws Exception {
+
+        HttpURLPermission out = new HttpURLPermission(name, actions);
+        FileOutputStream fos = new FileOutputStream("out.ser");
+        ObjectOutputStream o = new ObjectOutputStream(fos);
+        o.writeObject(out);
+        FileInputStream fis = new FileInputStream("out.ser");
+        ObjectInputStream i = new ObjectInputStream(fis);
+        HttpURLPermission in = (HttpURLPermission)i.readObject();
+        if (!in.equals(out)) {
+            System.out.println ("FAIL");
+            System.out.println ("in = " + in);
+            System.out.println ("out = " + out);
+            failed = true;
+        }
+    }
+}
diff --git a/test/java/net/HttpURLPermission/URLTest.java b/test/java/net/HttpURLPermission/URLTest.java
new file mode 100644
index 0000000000000000000000000000000000000000..8aef8a1f59b9c7ebfa126e1572e65dd3058a1ae1
--- /dev/null
+++ b/test/java/net/HttpURLPermission/URLTest.java
@@ -0,0 +1,240 @@
+/*
+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.net.HttpURLPermission;
+/*
+ * Run the tests once without security manager and once with
+ *
+ * @test
+ * @bug 8010464
+ * @compile ../../../com/sun/net/httpserver/SimpleSSLContext.java
+ * @run main/othervm/policy=policy.1 URLTest one
+ * @run main/othervm URLTest one
+ * @run main/othervm/policy=policy.2 URLTest two
+ * @run main/othervm URLTest two
+ * @run main/othervm/policy=policy.3 URLTest three
+ * @run main/othervm URLTest three
+ */
+
+import java.net.*;
+import java.io.*;
+import java.util.*;
+import java.util.concurrent.*;
+import java.util.logging.*;
+import com.sun.net.httpserver.*;
+import javax.net.ssl.*;
+
+public class URLTest {
+    static boolean failed = false;
+
+    public static void main (String[] args) throws Exception {
+        boolean no = false, yes = true;
+
+        if (System.getSecurityManager() == null) {
+            yes = false;
+        }
+        createServers();
+        InetSocketAddress addr1 = httpServer.getAddress();
+        int port1 = addr1.getPort();
+        InetSocketAddress addr2 = httpsServer.getAddress();
+        int port2 = addr2.getPort();
+
+          // each of the following cases is run with a different policy file
+
+        switch (args[0]) {
+          case "one":
+            String url1 = "http://127.0.0.1:"+ port1 + "/foo.html";
+            String url2 = "https://127.0.0.1:"+ port2 + "/foo.html";
+            String url3 = "http://127.0.0.1:"+ port1 + "/bar.html";
+            String url4 = "https://127.0.0.1:"+ port2 + "/bar.html";
+
+            // simple positive test. Should succceed
+            test(url1, "GET", "X-Foo", no);
+            test(url1, "GET", "Z-Bar", "X-Foo", no);
+            test(url1, "GET", "X-Foo", "Z-Bar", no);
+            test(url1, "GET", "Z-Bar", no);
+            test(url2, "POST", "X-Fob", no);
+
+            // reverse the methods, should fail
+            test(url1, "POST", "X-Foo", yes);
+            test(url2, "GET", "X-Fob", yes);
+
+            // different URLs, should fail
+            test(url3, "GET", "X-Foo", yes);
+            test(url4, "POST", "X-Fob", yes);
+            break;
+
+          case "two":
+            url1 = "http://127.0.0.1:"+ port1 + "/foo.html";
+            url2 = "https://127.0.0.1:"+ port2 + "/foo.html";
+            url3 = "http://127.0.0.1:"+ port1 + "/bar.html";
+            url4 = "https://127.0.0.1:"+ port2 + "/bar.html";
+
+            // simple positive test. Should succceed
+            test(url1, "GET", "X-Foo", no);
+            test(url2, "POST", "X-Fob", no);
+            test(url3, "GET", "X-Foo", no);
+            test(url4, "POST", "X-Fob", no);
+            break;
+
+          case "three":
+            url1 = "http://127.0.0.1:"+ port1 + "/foo.html";
+            url2 = "https://127.0.0.1:"+ port2 + "/a/c/d/e/foo.html";
+            url3 = "http://127.0.0.1:"+ port1 + "/a/b/c";
+            url4 = "https://127.0.0.1:"+ port2 + "/a/b/c";
+
+            test(url1, "GET", "X-Foo", yes);
+            test(url2, "POST", "X-Zxc", no);
+            test(url3, "DELETE", "Y-Foo", no);
+            test(url4, "POST", "Y-Foo", yes);
+            break;
+        }
+        shutdown();
+        if (failed) {
+            throw new RuntimeException("Test failed");
+        }
+    }
+
+    public static void test (
+        String u, String method,
+        String header, boolean exceptionExpected
+    )
+        throws Exception
+    {
+        test(u, method, header, null, exceptionExpected);
+    }
+
+    public static void test (
+        String u, String method,
+        String header1, String header2, boolean exceptionExpected
+    )
+        throws Exception
+    {
+        URL url = new URL(u);
+        System.out.println ("url=" + u + " method="+method + " header1="+header1
+                +" header2 = " + header2
+                +" exceptionExpected="+exceptionExpected);
+        HttpURLConnection urlc = (HttpURLConnection)url.openConnection();
+        if (urlc instanceof HttpsURLConnection) {
+            HttpsURLConnection ssl = (HttpsURLConnection)urlc;
+            ssl.setHostnameVerifier(new HostnameVerifier() {
+                public boolean verify(String host, SSLSession sess) {
+                    return true;
+                }
+            });
+            ssl.setSSLSocketFactory (ctx.getSocketFactory());
+        }
+        urlc.setRequestMethod(method);
+        if (header1 != null) {
+            urlc.addRequestProperty(header1, "foo");
+        }
+        if (header2 != null) {
+            urlc.addRequestProperty(header2, "bar");
+        }
+        try {
+            int g = urlc.getResponseCode();
+            if (exceptionExpected) {
+                failed = true;
+                System.out.println ("FAIL");
+                return;
+            }
+            if (g != 200) {
+                String s = Integer.toString(g);
+                throw new RuntimeException("unexpected response "+ s);
+            }
+            InputStream is = urlc.getInputStream();
+            int c,count=0;
+            byte[] buf = new byte[1024];
+            while ((c=is.read(buf)) != -1) {
+                count += c;
+            }
+            is.close();
+        } catch (RuntimeException e) {
+            if (! (e instanceof SecurityException) &&
+                        !(e.getCause() instanceof SecurityException)  ||
+                        !exceptionExpected)
+            {
+                System.out.println ("FAIL");
+                //e.printStackTrace();
+                failed = true;
+            }
+        }
+        System.out.println ("OK");
+    }
+
+    static HttpServer httpServer;
+    static HttpsServer httpsServer;
+    static HttpContext c, cs;
+    static ExecutorService e, es;
+    static SSLContext ctx;
+
+    // These ports need to be hard-coded until we support port number
+    // ranges in the permission class
+
+    static final int PORT1 = 12567;
+    static final int PORT2 = 12568;
+
+    static void createServers() throws Exception {
+        InetSocketAddress addr1 = new InetSocketAddress (PORT1);
+        InetSocketAddress addr2 = new InetSocketAddress (PORT2);
+        httpServer = HttpServer.create (addr1, 0);
+        httpsServer = HttpsServer.create (addr2, 0);
+
+        MyHandler h = new MyHandler();
+
+        c = httpServer.createContext ("/", h);
+        cs = httpsServer.createContext ("/", h);
+        e = Executors.newCachedThreadPool();
+        es = Executors.newCachedThreadPool();
+        httpServer.setExecutor (e);
+        httpsServer.setExecutor (es);
+
+        // take the keystore from elsewhere in test hierarchy
+        String keysdir = System.getProperty("test.src")
+                + "/../../../com/sun/net/httpserver/";
+        ctx = new SimpleSSLContext(keysdir).get();
+        httpsServer.setHttpsConfigurator(new HttpsConfigurator (ctx));
+
+        httpServer.start();
+        httpsServer.start();
+    }
+
+    static void shutdown() {
+        httpServer.stop(1);
+        httpsServer.stop(1);
+        e.shutdown();
+        es.shutdown();
+    }
+
+    static class MyHandler implements HttpHandler {
+
+        MyHandler() {
+        }
+
+        public void handle(HttpExchange x) throws IOException {
+            x.sendResponseHeaders(200, -1);
+            x.close();
+        }
+    }
+
+}
diff --git a/test/java/net/HttpURLPermission/policy.1 b/test/java/net/HttpURLPermission/policy.1
new file mode 100644
index 0000000000000000000000000000000000000000..73fdb00002f8ea894b7d5a2f8a6d1b955653a5fb
--- /dev/null
+++ b/test/java/net/HttpURLPermission/policy.1
@@ -0,0 +1,48 @@
+//
+// Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+// DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+//
+// This code is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License version 2 only, as
+// published by the Free Software Foundation.
+//
+// This code is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+// version 2 for more details (a copy is included in the LICENSE file that
+// accompanied this code).
+//
+// You should have received a copy of the GNU General Public License version
+// 2 along with this work; if not, write to the Free Software Foundation,
+// Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+// or visit www.oracle.com if you need additional information or have any
+// questions.
+//
+
+grant {
+    permission java.net.HttpURLPermission "http://127.0.0.1:12567/foo.html", "GET:X-Foo,Z-Bar";
+    permission java.net.HttpURLPermission "https://127.0.0.1:12568/foo.html", "POST:X-Fob,T-Bar";
+
+    // needed for HttpServer
+    permission "java.net.SocketPermission" "localhost:1024-", "listen,resolve,accept";
+    permission "java.util.PropertyPermission" "test.src", "read";
+    permission java.io.FilePermission "${test.src}/../../../com/sun/net/httpserver/testkeys", "read";
+
+    //permission "java.util.logging.LoggingPermission" "control";
+    //permission "java.io.FilePermission" "/tmp/-", "read,write";
+    permission "java.lang.RuntimePermission" "modifyThread";
+    permission "java.lang.RuntimePermission" "setFactory";
+};
+
+// Normal permissions that aren't granted when run under jtreg
+
+grant codeBase "file:${{java.ext.dirs}}/*" {
+        permission java.security.AllPermission;
+};
+
+grant codeBase "file:${{java.home}}/jre/lib/rt.jar" {
+        permission java.security.AllPermission;
+};
+
diff --git a/test/java/net/HttpURLPermission/policy.2 b/test/java/net/HttpURLPermission/policy.2
new file mode 100644
index 0000000000000000000000000000000000000000..ad868400c047d601a5a902d55a0b9214f3e5647f
--- /dev/null
+++ b/test/java/net/HttpURLPermission/policy.2
@@ -0,0 +1,46 @@
+//
+// Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+// DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+//
+// This code is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License version 2 only, as
+// published by the Free Software Foundation.
+//
+// This code is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+// version 2 for more details (a copy is included in the LICENSE file that
+// accompanied this code).
+//
+// You should have received a copy of the GNU General Public License version
+// 2 along with this work; if not, write to the Free Software Foundation,
+// Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+// or visit www.oracle.com if you need additional information or have any
+// questions.
+//
+
+grant {
+    permission java.net.HttpURLPermission "http://127.0.0.1:12567/*", "GET:X-Foo";
+    permission java.net.HttpURLPermission "https://127.0.0.1:12568/*", "POST:X-Fob";
+
+    // needed for HttpServer
+    permission "java.net.SocketPermission" "localhost:1024-", "listen,resolve,accept";
+    permission "java.util.PropertyPermission" "test.src", "read";
+    permission java.io.FilePermission "${test.src}/../../../com/sun/net/httpserver/testkeys", "read";
+
+    //permission "java.util.logging.LoggingPermission" "control";
+    //permission "java.io.FilePermission" "/tmp/-", "read,write";
+    permission "java.lang.RuntimePermission" "modifyThread";
+    permission "java.lang.RuntimePermission" "setFactory";
+};
+
+grant codeBase "file:${{java.ext.dirs}}/*" {
+        permission java.security.AllPermission;
+};
+
+grant codeBase "file:///export/repos/jdk8/build/linux-x86_64-normal-server-fastdebug/images/j2sdk-image/jre/lib/rt.jar" {
+        permission java.security.AllPermission;
+};
+
diff --git a/test/java/net/HttpURLPermission/policy.3 b/test/java/net/HttpURLPermission/policy.3
new file mode 100644
index 0000000000000000000000000000000000000000..5f036c01f0d8eb195ecfaea60c25b13f2f0c0d58
--- /dev/null
+++ b/test/java/net/HttpURLPermission/policy.3
@@ -0,0 +1,48 @@
+//
+// Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+// DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+//
+// This code is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License version 2 only, as
+// published by the Free Software Foundation.
+//
+// This code is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+// version 2 for more details (a copy is included in the LICENSE file that
+// accompanied this code).
+//
+// You should have received a copy of the GNU General Public License version
+// 2 along with this work; if not, write to the Free Software Foundation,
+// Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+// or visit www.oracle.com if you need additional information or have any
+// questions.
+//
+
+grant {
+    permission java.net.HttpURLPermission "http://127.0.0.1:12567/a/b/-", "DELETE,GET:X-Foo,Y-Foo";
+    permission java.net.HttpURLPermission "https://127.0.0.1:12568/a/c/-", "POST:*";
+
+    // needed for HttpServer
+    permission "java.net.SocketPermission" "localhost:1024-", "listen,resolve,accept";
+    permission "java.util.PropertyPermission" "test.src", "read";
+    permission java.io.FilePermission "${test.src}/../../../com/sun/net/httpserver/testkeys", "read";
+
+    //permission "java.util.logging.LoggingPermission" "control";
+    //permission "java.io.FilePermission" "/tmp/-", "read,write";
+    permission "java.lang.RuntimePermission" "modifyThread";
+    permission "java.lang.RuntimePermission" "setFactory";
+};
+
+// Normal permissions that aren't granted when run under jtreg
+
+grant codeBase "file:${{java.ext.dirs}}/*" {
+        permission java.security.AllPermission;
+};
+
+grant codeBase "file:${{java.home}}/jre/lib/rt.jar" {
+        permission java.security.AllPermission;
+};
+

Example url	Description
http://www.oracle.com/a/b/c.html	A url which identifies a specific (single) resource
http://www.oracle.com/a/b/*	The '' character refers to all resources in the same "directory" - in + other words all resources with the same number of path components, and + * which only differ in the final path component, represented by the ''. +
http://www.oracle.com/a/b/- + *	The '-' character refers to all resources recursively below the + * preceding path (eg. http://www.oracle.com/a/b/c/d/e.html matches this + * example). + *
this's path	p's path	match
/a/b	/a/b	yes
/a/b/*	/a/b/c	yes
/a/b/*	/a/b/c/d	no
/a/b/-	/a/b/c/d	yes
/a/b/-	/a/b/c/d/e	yes
/a/b/-	/a/b/c/*	yes
/a/b/*	/a/b/c/-	no