Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
1ffb156d
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
1ffb156d
编写于
10月 24, 2013
作者:
M
michaelm
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
8011786: Better applet networking
Reviewed-by: alanb, chegar
上级
43dfe65f
变更
16
显示空白变更内容
内联
并排
Showing
16 changed file
with
281 addition
and
57 deletion
+281
-57
src/share/classes/com/sun/nio/sctp/SctpChannel.java
src/share/classes/com/sun/nio/sctp/SctpChannel.java
+5
-0
src/share/classes/java/lang/SecurityManager.java
src/share/classes/java/lang/SecurityManager.java
+3
-10
src/share/classes/java/net/Socket.java
src/share/classes/java/net/Socket.java
+13
-2
src/share/classes/java/net/SocketPermission.java
src/share/classes/java/net/SocketPermission.java
+114
-2
src/share/classes/java/nio/channels/AsynchronousSocketChannel.java
.../classes/java/nio/channels/AsynchronousSocketChannel.java
+4
-0
src/share/classes/java/nio/channels/SocketChannel.java
src/share/classes/java/nio/channels/SocketChannel.java
+4
-0
src/share/classes/sun/nio/ch/AsynchronousSocketChannelImpl.java
...are/classes/sun/nio/ch/AsynchronousSocketChannelImpl.java
+4
-0
src/share/classes/sun/nio/ch/SocketChannelImpl.java
src/share/classes/sun/nio/ch/SocketChannelImpl.java
+4
-0
src/share/classes/sun/rmi/registry/RegistryImpl.java
src/share/classes/sun/rmi/registry/RegistryImpl.java
+20
-4
src/share/classes/sun/security/util/SecurityConstants.java
src/share/classes/sun/security/util/SecurityConstants.java
+1
-1
src/share/lib/security/java.policy
src/share/lib/security/java.policy
+38
-38
src/share/lib/security/java.security-linux
src/share/lib/security/java.security-linux
+16
-0
src/share/lib/security/java.security-macosx
src/share/lib/security/java.security-macosx
+18
-0
src/share/lib/security/java.security-solaris
src/share/lib/security/java.security-solaris
+17
-0
src/share/lib/security/java.security-windows
src/share/lib/security/java.security-windows
+16
-0
src/solaris/classes/sun/nio/ch/sctp/SctpChannelImpl.java
src/solaris/classes/sun/nio/ch/sctp/SctpChannelImpl.java
+4
-0
未找到文件。
src/share/classes/com/sun/nio/sctp/SctpChannel.java
浏览文件 @
1ffb156d
...
...
@@ -276,6 +276,11 @@ public abstract class SctpChannel
*
* @throws IOException
* If some other I/O error occurs
*
* @throws SecurityException
* If a security manager has been installed and its
* {@link SecurityManager#checkListen checkListen} method denies
* the operation
*/
public
abstract
SctpChannel
bind
(
SocketAddress
local
)
throws
IOException
;
...
...
src/share/classes/java/lang/SecurityManager.java
浏览文件 @
1ffb156d
...
...
@@ -1114,11 +1114,8 @@ class SecurityManager {
* calling thread is not allowed to wait for a connection request on
* the specified local port number.
* <p>
* If port is not 0, this method calls
* <code>checkPermission</code> with the
* This method calls <code>checkPermission</code> with the
* <code>SocketPermission("localhost:"+port,"listen")</code>.
* If port is zero, this method calls <code>checkPermission</code>
* with <code>SocketPermission("localhost:1024-","listen").</code>
* <p>
* If you override this method, then you should make a call to
* <code>super.checkListen</code>
...
...
@@ -1131,13 +1128,9 @@ class SecurityManager {
* @see #checkPermission(java.security.Permission) checkPermission
*/
public
void
checkListen
(
int
port
)
{
if
(
port
==
0
)
{
checkPermission
(
SecurityConstants
.
LOCAL_LISTEN_PERMISSION
);
}
else
{
checkPermission
(
new
SocketPermission
(
"localhost:"
+
port
,
SecurityConstants
.
SOCKET_LISTEN_ACTION
));
}
}
/**
* Throws a <code>SecurityException</code> if the
...
...
src/share/classes/java/net/Socket.java
浏览文件 @
1ffb156d
...
...
@@ -272,7 +272,9 @@ class Socket implements java.io.Closeable {
* {@code zero} for a system selected free port.
* @exception IOException if an I/O error occurs when creating the socket.
* @exception SecurityException if a security manager exists and its
* {@code checkConnect} method doesn't allow the operation.
* {@code checkConnect} method doesn't allow the connection
* to the destination, or if its {@code checkListen} method
* doesn't allow the bind to the local port.
* @exception IllegalArgumentException if the port parameter or localPort
* parameter is outside the specified range of valid port values,
* which is between 0 and 65535, inclusive.
...
...
@@ -311,7 +313,9 @@ class Socket implements java.io.Closeable {
* {@code zero} for a system selected free port.
* @exception IOException if an I/O error occurs when creating the socket.
* @exception SecurityException if a security manager exists and its
* {@code checkConnect} method doesn't allow the operation.
* {@code checkConnect} method doesn't allow the connection
* to the destination, or if its {@code checkListen} method
* doesn't allow the bind to the local port.
* @exception IllegalArgumentException if the port parameter or localPort
* parameter is outside the specified range of valid port values,
* which is between 0 and 65535, inclusive.
...
...
@@ -609,6 +613,9 @@ class Socket implements java.io.Closeable {
* is already bound.
* @throws IllegalArgumentException if bindpoint is a
* SocketAddress subclass not supported by this socket
* @throws SecurityException if a security manager exists and its
* {@code checkListen} method doesn't allow the bind
* to the local port.
*
* @since 1.4
* @see #isBound
...
...
@@ -630,6 +637,10 @@ class Socket implements java.io.Closeable {
InetAddress
addr
=
epoint
.
getAddress
();
int
port
=
epoint
.
getPort
();
checkAddress
(
addr
,
"bind"
);
SecurityManager
security
=
System
.
getSecurityManager
();
if
(
security
!=
null
)
{
security
.
checkListen
(
port
);
}
getImpl
().
bind
(
addr
,
port
);
bound
=
true
;
}
...
...
src/share/classes/java/net/SocketPermission.java
浏览文件 @
1ffb156d
...
...
@@ -34,6 +34,9 @@ import java.util.StringTokenizer;
import
java.net.InetAddress
;
import
java.security.Permission
;
import
java.security.PermissionCollection
;
import
java.security.PrivilegedAction
;
import
java.security.AccessController
;
import
java.security.Security
;
import
java.io.Serializable
;
import
java.io.ObjectStreamField
;
import
java.io.ObjectOutputStream
;
...
...
@@ -89,6 +92,9 @@ import sun.security.util.Debug;
* form "N-", where <i>N</i> is a port number, signifies all ports
* numbered <i>N</i> and above, while a specification of the
* form "-N" indicates all ports numbered <i>N</i> and below.
* The special port value {@code 0} refers to the entire <i>ephemeral</i>
* port range. This is a fixed range of ports a system may use to
* allocate dynamic ports from. The actual range may be system dependent.
* <p>
* The possible ways to connect to the host are
* <pre>
...
...
@@ -97,7 +103,8 @@ import sun.security.util.Debug;
* listen
* resolve
* </pre>
* The "listen" action is only meaningful when used with "localhost".
* The "listen" action is only meaningful when used with "localhost" and
* means the ability to bind to a specified port.
* The "resolve" action is implied when any of the other actions are present.
* The action "resolve" refers to host/ip name service lookups.
* <P>
...
...
@@ -176,6 +183,7 @@ public final class SocketPermission extends Permission
private
static
final
int
PORT_MIN
=
0
;
private
static
final
int
PORT_MAX
=
65535
;
private
static
final
int
PRIV_PORT_MAX
=
1023
;
private
static
final
int
DEF_EPH_LOW
=
49152
;
// the actions mask
private
transient
int
mask
;
...
...
@@ -226,6 +234,14 @@ public final class SocketPermission extends Permission
private
static
Debug
debug
=
null
;
private
static
boolean
debugInit
=
false
;
// ephemeral port range for this system
private
static
final
int
ephemeralLow
=
initEphemeralPorts
(
"low"
,
DEF_EPH_LOW
);
private
static
final
int
ephemeralHigh
=
initEphemeralPorts
(
"high"
,
PORT_MAX
);
static
{
Boolean
tmp
=
java
.
security
.
AccessController
.
doPrivileged
(
new
sun
.
security
.
action
.
GetBooleanAction
(
"sun.net.trustNameService"
));
...
...
@@ -359,6 +375,14 @@ public final class SocketPermission extends Permission
}
}
/**
* Returns true if the permission has specified zero
* as its value (or lower bound) signifying the ephemeral range
*/
private
boolean
includesEphemerals
()
{
return
portrange
[
0
]
==
0
;
}
/**
* Initialize the SocketPermission object. We don't do any DNS lookups
* as this point, instead we hold off until the implies method is
...
...
@@ -850,12 +874,23 @@ public final class SocketPermission extends Permission
int
i
,
j
;
if
((
that
.
mask
&
RESOLVE
)
!=
that
.
mask
)
{
// check port range
// check simple port range
if
((
that
.
portrange
[
0
]
<
this
.
portrange
[
0
])
||
(
that
.
portrange
[
1
]
>
this
.
portrange
[
1
]))
{
// if either includes the ephemeral range, do full check
if
(
this
.
includesEphemerals
()
||
that
.
includesEphemerals
())
{
if
(!
inRange
(
this
.
portrange
[
0
],
this
.
portrange
[
1
],
that
.
portrange
[
0
],
that
.
portrange
[
1
]))
{
return
false
;
}
}
else
{
return
false
;
}
}
}
// allow a "*" wildcard to always match anything
if
(
this
.
wildcard
&&
""
.
equals
(
this
.
cname
))
...
...
@@ -1168,6 +1203,83 @@ public final class SocketPermission extends Permission
init
(
getName
(),
getMask
(
actions
));
}
/**
* Check the system/security property for the ephemeral port range
* for this system. The suffix is either "high" or "low"
*/
private
static
int
initEphemeralPorts
(
String
suffix
,
int
defval
)
{
return
AccessController
.
doPrivileged
(
new
PrivilegedAction
<
Integer
>(){
public
Integer
run
()
{
int
val
=
Integer
.
getInteger
(
"jdk.net.ephemeralPortRange."
+
suffix
,
-
1
);
if
(
val
!=
-
1
)
{
return
val
;
}
else
{
String
prop
=
Security
.
getProperty
(
"network.ephemeralPortRange."
+
suffix
);
try
{
val
=
Integer
.
parseInt
(
prop
);
}
catch
(
NumberFormatException
e
)
{
// shouldn't happen
return
defval
;
}
}
return
val
;
}
}
);
}
/**
* Check if the target range is within the policy range
* together with the ephemeral range for this platform
* (if policy includes ephemeral range)
*/
private
static
boolean
inRange
(
int
policyLow
,
int
policyHigh
,
int
targetLow
,
int
targetHigh
)
{
if
(
targetLow
==
0
)
{
// check policy includes ephemeral range
if
(!
inRange
(
policyLow
,
policyHigh
,
ephemeralLow
,
ephemeralHigh
))
{
return
false
;
}
if
(
targetHigh
==
0
)
{
// nothing left to do
return
true
;
}
// continue check with first real port number
targetLow
=
1
;
}
if
(
policyLow
==
0
&&
policyHigh
==
0
)
{
// ephemeral range only
return
targetLow
>=
ephemeralLow
&&
targetHigh
<=
ephemeralHigh
;
}
if
(
policyLow
!=
0
)
{
// simple check of policy only
return
targetLow
>=
policyLow
&&
targetHigh
<=
policyHigh
;
}
// policyLow == 0 which means possibly two ranges to check
// first check if policy and ephem range overlap/contiguous
if
(
policyHigh
>=
ephemeralLow
-
1
)
{
return
targetHigh
<=
ephemeralHigh
;
}
// policy and ephem range do not overlap
// target range must lie entirely inside policy range or eph range
return
(
targetLow
<=
policyHigh
&&
targetHigh
<=
policyHigh
)
||
(
targetLow
>=
ephemeralLow
&&
targetHigh
<=
ephemeralHigh
);
}
/*
public String toString()
{
...
...
src/share/classes/java/nio/channels/AsynchronousSocketChannel.java
浏览文件 @
1ffb156d
...
...
@@ -200,6 +200,10 @@ public abstract class AsynchronousSocketChannel
* @throws UnsupportedAddressTypeException {@inheritDoc}
* @throws ClosedChannelException {@inheritDoc}
* @throws IOException {@inheritDoc}
* @throws SecurityException
* If a security manager has been installed and its
* {@link SecurityManager#checkListen checkListen} method denies
* the operation
*/
@Override
public
abstract
AsynchronousSocketChannel
bind
(
SocketAddress
local
)
...
...
src/share/classes/java/nio/channels/SocketChannel.java
浏览文件 @
1ffb156d
...
...
@@ -227,6 +227,10 @@ public abstract class SocketChannel
* @throws UnsupportedAddressTypeException {@inheritDoc}
* @throws ClosedChannelException {@inheritDoc}
* @throws IOException {@inheritDoc}
* @throws SecurityException
* If a security manager has been installed and its
* {@link SecurityManager#checkListen checkListen} method denies
* the operation
*
* @since 1.7
*/
...
...
src/share/classes/sun/nio/ch/AsynchronousSocketChannelImpl.java
浏览文件 @
1ffb156d
...
...
@@ -428,6 +428,10 @@ abstract class AsynchronousSocketChannelImpl
throw
new
AlreadyBoundException
();
InetSocketAddress
isa
=
(
local
==
null
)
?
new
InetSocketAddress
(
0
)
:
Net
.
checkAddress
(
local
);
SecurityManager
sm
=
System
.
getSecurityManager
();
if
(
sm
!=
null
)
{
sm
.
checkListen
(
isa
.
getPort
());
}
NetHooks
.
beforeTcpBind
(
fd
,
isa
.
getAddress
(),
isa
.
getPort
());
Net
.
bind
(
fd
,
isa
.
getAddress
(),
isa
.
getPort
());
localAddress
=
Net
.
localAddress
(
fd
);
...
...
src/share/classes/sun/nio/ch/SocketChannelImpl.java
浏览文件 @
1ffb156d
...
...
@@ -572,6 +572,10 @@ class SocketChannelImpl
throw
new
AlreadyBoundException
();
InetSocketAddress
isa
=
(
local
==
null
)
?
new
InetSocketAddress
(
0
)
:
Net
.
checkAddress
(
local
);
SecurityManager
sm
=
System
.
getSecurityManager
();
if
(
sm
!=
null
)
{
sm
.
checkListen
(
isa
.
getPort
());
}
NetHooks
.
beforeTcpBind
(
fd
,
isa
.
getAddress
(),
isa
.
getPort
());
Net
.
bind
(
fd
,
isa
.
getAddress
(),
isa
.
getPort
());
localAddress
=
Net
.
localAddress
(
fd
);
...
...
src/share/classes/sun/rmi/registry/RegistryImpl.java
浏览文件 @
1ffb156d
...
...
@@ -94,8 +94,23 @@ public class RegistryImpl extends java.rmi.server.RemoteServer
RMIServerSocketFactory
ssf
)
throws
RemoteException
{
if
(
port
==
Registry
.
REGISTRY_PORT
&&
System
.
getSecurityManager
()
!=
null
)
{
// grant permission for default port only.
try
{
AccessController
.
doPrivileged
(
new
PrivilegedExceptionAction
<
Void
>()
{
public
Void
run
()
throws
RemoteException
{
LiveRef
lref
=
new
LiveRef
(
id
,
port
,
csf
,
ssf
);
setup
(
new
UnicastServerRef2
(
lref
));
return
null
;
}
},
null
,
new
SocketPermission
(
"localhost:"
+
port
,
"listen,accept"
));
}
catch
(
PrivilegedActionException
pae
)
{
throw
(
RemoteException
)
pae
.
getException
();
}
}
else
{
LiveRef
lref
=
new
LiveRef
(
id
,
port
,
csf
,
ssf
);
setup
(
new
UnicastServerRef2
(
lref
));
}
}
/**
...
...
@@ -352,7 +367,7 @@ public class RegistryImpl extends java.rmi.server.RemoteServer
public
RegistryImpl
run
()
throws
RemoteException
{
return
new
RegistryImpl
(
regPort
);
}
},
getAccessControlContext
());
},
getAccessControlContext
(
regPort
));
}
catch
(
PrivilegedActionException
ex
)
{
throw
(
RemoteException
)
ex
.
getException
();
}
...
...
@@ -382,7 +397,7 @@ public class RegistryImpl extends java.rmi.server.RemoteServer
* The approach used here is taken from the similar method
* getAccessControlContext() in the sun.applet.AppletPanel class.
*/
private
static
AccessControlContext
getAccessControlContext
()
{
private
static
AccessControlContext
getAccessControlContext
(
int
port
)
{
// begin with permissions granted to all code in current policy
PermissionCollection
perms
=
AccessController
.
doPrivileged
(
new
java
.
security
.
PrivilegedAction
<
PermissionCollection
>()
{
...
...
@@ -404,6 +419,7 @@ public class RegistryImpl extends java.rmi.server.RemoteServer
* related classes themselves are more tightly limited by RMI.
*/
perms
.
add
(
new
SocketPermission
(
"*"
,
"connect,accept"
));
perms
.
add
(
new
SocketPermission
(
"localhost:"
+
port
,
"listen,accept"
));
perms
.
add
(
new
RuntimePermission
(
"accessClassInPackage.sun.jvmstat.*"
));
perms
.
add
(
new
RuntimePermission
(
"accessClassInPackage.sun.jvm.hotspot.*"
));
...
...
src/share/classes/sun/security/util/SecurityConstants.java
浏览文件 @
1ffb156d
...
...
@@ -222,5 +222,5 @@ public final class SecurityConstants {
// java.lang.SecurityManager
public
static
final
SocketPermission
LOCAL_LISTEN_PERMISSION
=
new
SocketPermission
(
"localhost:
1024-
"
,
SOCKET_LISTEN_ACTION
);
new
SocketPermission
(
"localhost:
0
"
,
SOCKET_LISTEN_ACTION
);
}
src/share/lib/security/java.policy
浏览文件 @
1ffb156d
...
...
@@ -19,8 +19,8 @@ grant {
// information.
permission java.lang.RuntimePermission "stopThread";
// allows anyone to listen on un-privileged
ports
permission java.net.SocketPermission "localhost:1024-
", "listen";
// allows anyone to listen on dynamic
ports
permission java.net.SocketPermission "localhost:0
", "listen";
// "standard" properies that can be read by anyone
...
...
src/share/lib/security/java.security-linux
浏览文件 @
1ffb156d
...
...
@@ -497,3 +497,19 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# Example:
# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
#
# Default ephemeral port ranges (operating system specific)
# used by java.net.SocketPermission to interpret the meaning of the special
# port value zero, as in the following example:
#
# SocketPermission("localhost:0" , "listen");
#
# These can be overridden by the system properties:
#
# jdk.net.ephemeralPortRange.low and
# jdk.net.ephemeralPortRange.high
#
# respectively.
#
network.ephemeralPortRange.low=32768
network.ephemeralPortRange.high=65535
src/share/lib/security/java.security-macosx
浏览文件 @
1ffb156d
...
...
@@ -498,3 +498,21 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# Example:
# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
#
# Default ephemeral port ranges (operating system specific)
# used by java.net.SocketPermission to interpret the meaning of the special
# port value zero, as in the following example:
#
# SocketPermission("localhost:0" , "listen");
#
# These can be overridden by the system properties:
#
# jdk.net.ephemeralPortRange.low and
# jdk.net.ephemeralPortRange.high
#
# respectively.
#
network.ephemeralPortRange.low=49152
network.ephemeralPortRange.high=65535
src/share/lib/security/java.security-solaris
浏览文件 @
1ffb156d
...
...
@@ -497,3 +497,20 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# Example:
# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
#
# Default ephemeral port ranges (operating system specific)
# used by java.net.SocketPermission to interpret the meaning of the special
# port value zero, as in the following example:
#
# SocketPermission("localhost:0" , "listen");
#
# These can be overridden by the system properties:
#
# jdk.net.ephemeralPortRange.low and
# jdk.net.ephemeralPortRange.high
#
# respectively.
#
network.ephemeralPortRange.low=32768
network.ephemeralPortRange.high=65535
src/share/lib/security/java.security-windows
浏览文件 @
1ffb156d
...
...
@@ -498,3 +498,19 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
# Example:
# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
#
# Default ephemeral port ranges (operating system specific)
# used by java.net.SocketPermission to interpret the meaning of the special
# port value zero, as in the following example:
#
# SocketPermission("localhost:0" , "listen");
#
# These can be overridden by the system properties:
#
# jdk.net.ephemeralPortRange.low and
# jdk.net.ephemeralPortRange.high
#
# respectively.
#
network.ephemeralPortRange.low=49152
network.ephemeralPortRange.high=65535
src/solaris/classes/sun/nio/ch/sctp/SctpChannelImpl.java
浏览文件 @
1ffb156d
...
...
@@ -187,6 +187,10 @@ public class SctpChannelImpl extends SctpChannel
SctpNet
.
throwAlreadyBoundException
();
InetSocketAddress
isa
=
(
local
==
null
)
?
new
InetSocketAddress
(
0
)
:
Net
.
checkAddress
(
local
);
SecurityManager
sm
=
System
.
getSecurityManager
();
if
(
sm
!=
null
)
{
sm
.
checkListen
(
isa
.
getPort
());
}
Net
.
bind
(
fd
,
isa
.
getAddress
(),
isa
.
getPort
());
InetSocketAddress
boundIsa
=
Net
.
localAddress
(
fd
);
port
=
boundIsa
.
getPort
();
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录