diff --git a/src/java.rmi/share/classes/javax/rmi/ssl/SslRMIClientSocketFactory.java b/src/java.rmi/share/classes/javax/rmi/ssl/SslRMIClientSocketFactory.java index a4475c8bd1e..eb7de92fe20 100644 --- a/src/java.rmi/share/classes/javax/rmi/ssl/SslRMIClientSocketFactory.java +++ b/src/java.rmi/share/classes/javax/rmi/ssl/SslRMIClientSocketFactory.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2025, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2026, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,6 +29,8 @@ import java.io.Serializable; import java.net.Socket; import java.rmi.server.RMIClientSocketFactory; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.StringTokenizer; import javax.net.SocketFactory; import javax.net.ssl.SSLParameters; @@ -121,8 +123,12 @@ public Socket createSocket(String host, int port) throws IOException { final SSLSocket sslSocket = (SSLSocket) sslSocketFactory.createSocket(host, port); - if (Boolean.parseBoolean( - System.getProperty("jdk.rmi.ssl.client.enableEndpointIdentification", "true"))) { + @SuppressWarnings("removal") + final String enableEndpointIdentification = + AccessController.doPrivileged((PrivilegedAction) () -> + System.getProperty("jdk.rmi.ssl.client.enableEndpointIdentification", "true")); + + if (Boolean.parseBoolean(enableEndpointIdentification)) { SSLParameters params = sslSocket.getSSLParameters(); if (params == null) { params = new SSLParameters(); @@ -132,8 +138,10 @@ public Socket createSocket(String host, int port) throws IOException { } // Set the SSLSocket Enabled Cipher Suites // + @SuppressWarnings("removal") final String enabledCipherSuites = - System.getProperty("javax.rmi.ssl.client.enabledCipherSuites"); + AccessController.doPrivileged((PrivilegedAction) () -> + System.getProperty("javax.rmi.ssl.client.enabledCipherSuites")); if (enabledCipherSuites != null) { StringTokenizer st = new StringTokenizer(enabledCipherSuites, ","); int tokens = st.countTokens(); @@ -149,8 +157,10 @@ public Socket createSocket(String host, int port) throws IOException { } // Set the SSLSocket Enabled Protocols // + @SuppressWarnings("removal") final String enabledProtocols = - System.getProperty("javax.rmi.ssl.client.enabledProtocols"); + AccessController.doPrivileged((PrivilegedAction) () -> + System.getProperty("javax.rmi.ssl.client.enabledProtocols")); if (enabledProtocols != null) { StringTokenizer st = new StringTokenizer(enabledProtocols, ","); int tokens = st.countTokens(); diff --git a/test/jdk/javax/rmi/ssl/SslRMIClientSocketFactory.policy b/test/jdk/javax/rmi/ssl/SslRMIClientSocketFactory.policy new file mode 100644 index 00000000000..00c576a9b10 --- /dev/null +++ b/test/jdk/javax/rmi/ssl/SslRMIClientSocketFactory.policy @@ -0,0 +1,4 @@ +grant { + permission java.lang.RuntimePermission "setSecurityManager"; + permission java.net.SocketPermission "", "connect,listen,resolve"; +}; diff --git a/test/jdk/javax/rmi/ssl/SslRMIClientSocketFactoryPermissionTest.java b/test/jdk/javax/rmi/ssl/SslRMIClientSocketFactoryPermissionTest.java new file mode 100644 index 00000000000..2d3ce0ced43 --- /dev/null +++ b/test/jdk/javax/rmi/ssl/SslRMIClientSocketFactoryPermissionTest.java @@ -0,0 +1,49 @@ +/* + * Copyright (c) 2026 SAP SE. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8366866 + * @summary Tests that SslRMIClientSocketFactory.createSocket() uses doPrivileged() when needed. + * @author Ralf Schmelter + * @run main/othervm/policy=SslRMIClientSocketFactory.policy SslRMIClientSocketFactoryPermissionTest + */ + +import java.io.IOException; +import java.net.ServerSocket; +import java.net.Socket; + +import javax.net.ssl.SSLServerSocketFactory; +import javax.rmi.ssl.SslRMIClientSocketFactory; + +public class SslRMIClientSocketFactoryPermissionTest { + + public static void main(String[] args) throws IOException { + try (ServerSocket server = SSLServerSocketFactory.getDefault().createServerSocket(0)) { + SslRMIClientSocketFactory factory = new SslRMIClientSocketFactory(); + try (Socket socket = factory.createSocket("localhost", server.getLocalPort())) { + // Should not throw AccessControlException. + } + } + } +}