8366866: SslRMIClientSocketFactory#createSocket lacking priviledges (securitymanger)

src/java.rmi/share/classes/javax/rmi/ssl/SslRMIClientSocketFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2025, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2026, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,8 @@
 import java.io.Serializable;
 import java.net.Socket;
 import java.rmi.server.RMIClientSocketFactory;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.StringTokenizer;
 import javax.net.SocketFactory;
 import javax.net.ssl.SSLParameters;
@@ -121,8 +123,12 @@ public Socket createSocket(String host, int port) throws IOException {
         final SSLSocket sslSocket = (SSLSocket)
             sslSocketFactory.createSocket(host, port);
 
-        if (Boolean.parseBoolean(
-                System.getProperty("jdk.rmi.ssl.client.enableEndpointIdentification", "true"))) {
+        @SuppressWarnings("removal")
+        final String enableEndpointIdentification =
+            AccessController.doPrivileged((PrivilegedAction<String>) () ->
+                    System.getProperty("jdk.rmi.ssl.client.enableEndpointIdentification", "true"));
+
+        if (Boolean.parseBoolean(enableEndpointIdentification)) {
             SSLParameters params = sslSocket.getSSLParameters();
             if (params == null) {
                 params = new SSLParameters();
@@ -132,8 +138,10 @@ public Socket createSocket(String host, int port) throws IOException {
         }
         // Set the SSLSocket Enabled Cipher Suites
         //
+        @SuppressWarnings("removal")
         final String enabledCipherSuites =
-            System.getProperty("javax.rmi.ssl.client.enabledCipherSuites");
+            AccessController.doPrivileged((PrivilegedAction<String>) () ->
+                System.getProperty("javax.rmi.ssl.client.enabledCipherSuites"));
         if (enabledCipherSuites != null) {
             StringTokenizer st = new StringTokenizer(enabledCipherSuites, ",");
             int tokens = st.countTokens();
@@ -149,8 +157,10 @@ public Socket createSocket(String host, int port) throws IOException {
         }
         // Set the SSLSocket Enabled Protocols
         //
+        @SuppressWarnings("removal")
         final String enabledProtocols =
-            System.getProperty("javax.rmi.ssl.client.enabledProtocols");
+            AccessController.doPrivileged((PrivilegedAction<String>) () ->
+                System.getProperty("javax.rmi.ssl.client.enabledProtocols"));
         if (enabledProtocols != null) {
             StringTokenizer st = new StringTokenizer(enabledProtocols, ",");
             int tokens = st.countTokens();

test/jdk/javax/rmi/ssl/SslRMIClientSocketFactory.policy

@@ -0,0 +1,4 @@
+grant {
+    permission java.lang.RuntimePermission "setSecurityManager";
+    permission java.net.SocketPermission "", "connect,listen,resolve";
+};

test/jdk/javax/rmi/ssl/SslRMIClientSocketFactoryPermissionTest.java

@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2026 SAP SE. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8366866
+ * @summary Tests that SslRMIClientSocketFactory.createSocket() uses doPrivileged() when needed.
+ * @author Ralf Schmelter
+ * @run main/othervm/policy=SslRMIClientSocketFactory.policy SslRMIClientSocketFactoryPermissionTest
+ */
+
+import java.io.IOException;
+import java.net.ServerSocket;
+import java.net.Socket;
+
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.rmi.ssl.SslRMIClientSocketFactory;
+
+public class SslRMIClientSocketFactoryPermissionTest {
+
+    public static void main(String[] args) throws IOException {
+        try (ServerSocket server = SSLServerSocketFactory.getDefault().createServerSocket(0)) {
+            SslRMIClientSocketFactory factory = new SslRMIClientSocketFactory();
+            try (Socket socket = factory.createSocket("localhost", server.getLocalPort())) {
+                // Should not throw AccessControlException.
+            }
+        }
+    }
+}