Remove SecurityManager support

Closes gh-28213
pull/28862/head
Andy Wilkinson 3 years ago
parent 814c86c5e8
commit 99f33ede14

@ -1,5 +1,5 @@
/*
* Copyright 2012-2020 the original author or authors.
* Copyright 2012-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -16,7 +16,6 @@
package org.springframework.boot.autoconfigure.condition;
import java.security.AccessControlException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
@ -78,13 +77,8 @@ class OnClassCondition extends FilteringSpringBootCondition {
AutoConfigurationMetadata autoConfigurationMetadata) {
OutcomesResolver outcomesResolver = new StandardOutcomesResolver(autoConfigurationClasses, start, end,
autoConfigurationMetadata, getBeanClassLoader());
try {
return new ThreadedOutcomesResolver(outcomesResolver);
}
catch (AccessControlException ex) {
return outcomesResolver;
}
}
@Override
public ConditionOutcome getMatchOutcome(ConditionContext context, AnnotatedTypeMetadata metadata) {

@ -1,5 +1,5 @@
/*
* Copyright 2012-2019 the original author or authors.
* Copyright 2012-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -17,7 +17,6 @@
package org.springframework.boot.autoconfigure.web.servlet;
import java.io.File;
import java.security.AccessControlException;
import org.springframework.boot.autoconfigure.template.TemplateAvailabilityProvider;
import org.springframework.core.env.Environment;
@ -43,12 +42,8 @@ public class JspTemplateAvailabilityProvider implements TemplateAvailabilityProv
if (resourceLoader.getResource(resourceName).exists()) {
return true;
}
try {
return new File("src/main/webapp", resourceName).exists();
}
catch (AccessControlException ex) {
}
}
return false;
}

@ -1,5 +1,5 @@
/*
* Copyright 2012-2020 the original author or authors.
* Copyright 2012-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -23,8 +23,6 @@ import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLClassLoader;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
@ -124,12 +122,11 @@ public class ExtendedGroovyClassLoader extends GroovyClassLoader {
@Override
public ClassCollector createCollector(CompilationUnit unit, SourceUnit su) {
InnerLoader loader = AccessController.doPrivileged(getInnerLoader());
return new ExtendedClassCollector(loader, unit, su);
return new ExtendedClassCollector(getInnerLoader(), unit, su);
}
private PrivilegedAction<InnerLoader> getInnerLoader() {
return () -> new InnerLoader(ExtendedGroovyClassLoader.this) {
private InnerLoader getInnerLoader() {
return new InnerLoader(ExtendedGroovyClassLoader.this) {
// Don't return URLs from the inner loader so that Tomcat only
// searches the parent. Fixes 'TLD skipped' issues

@ -20,8 +20,6 @@ import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLClassLoader;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.ProtectionDomain;
import java.util.Enumeration;
@ -125,7 +123,7 @@ public class RestartClassLoader extends URLClassLoader implements SmartClassLoad
if (file.getKind() == Kind.DELETED) {
return null;
}
return AccessController.doPrivileged((PrivilegedAction<URL>) () -> createFileUrl(name, file));
return createFileUrl(name, file);
}
@Override
@ -162,10 +160,8 @@ public class RestartClassLoader extends URLClassLoader implements SmartClassLoad
if (file.getKind() == Kind.DELETED) {
throw new ClassNotFoundException(name);
}
return AccessController.doPrivileged((PrivilegedAction<Class<?>>) () -> {
byte[] bytes = file.getContents();
return defineClass(name, bytes, 0, bytes.length);
});
}
@Override

@ -20,9 +20,9 @@ When your application starts, you should see something similar to the following
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: v{spring-boot-version}
2021-02-03 10:33:25.224 INFO 17321 --- [ main] o.s.b.d.s.s.SpringApplicationExample : Starting SpringApplicationExample using Java 1.8.0_232 on mycomputer with PID 17321 (/apps/myjar.jar started by pwebb)
2021-02-03 10:33:25.224 INFO 17900 --- [ main] o.s.b.d.s.s.SpringApplicationExample : Starting SpringAppplicationExample using Java 17 on mycomputer with PID 17321 (/apps/myjar.jar started by pwebb)
2021-02-03 10:33:25.226 INFO 17900 --- [ main] o.s.b.d.s.s.SpringApplicationExample : No active profile set, falling back to default profiles: default
2021-02-03 10:33:26.046 INFO 17321 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8080 (http)
2021-02-03 10:33:26.046 INFO 17900 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8080 (http)
2021-02-03 10:33:26.054 INFO 17900 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat]
2021-02-03 10:33:26.055 INFO 17900 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.41]
2021-02-03 10:33:26.097 INFO 17900 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext

@ -1,6 +1,6 @@
[[getting-started.system-requirements]]
== System Requirements
Spring Boot {spring-boot-version} requires https://www.java.com[Java 8] and is compatible up to and including Java 17.
Spring Boot {spring-boot-version} requires https://www.java.com[Java 17].
{spring-framework-docs}/[Spring Framework {spring-framework-version}] or above is also required.
Explicit build support is provided for the following build tools:

@ -1,5 +1,5 @@
/*
* Copyright 2012-2020 the original author or authors.
* Copyright 2012-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -23,8 +23,6 @@ import java.net.JarURLConnection;
import java.net.URL;
import java.net.URLClassLoader;
import java.net.URLConnection;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
import java.util.Enumeration;
import java.util.function.Supplier;
import java.util.jar.JarFile;
@ -213,8 +211,6 @@ public class LaunchedURLClassLoader extends URLClassLoader {
}
private void definePackage(String className, String packageName) {
try {
AccessController.doPrivileged((PrivilegedExceptionAction<Object>) () -> {
String packageEntryName = packageName.replace('.', '/') + "/";
String classEntryName = className.replace('.', '/') + ".class";
for (URL url : getURLs()) {
@ -225,7 +221,7 @@ public class LaunchedURLClassLoader extends URLClassLoader {
if (jarFile.getEntry(classEntryName) != null && jarFile.getEntry(packageEntryName) != null
&& jarFile.getManifest() != null) {
definePackage(packageName, jarFile.getManifest(), url);
return null;
return;
}
}
}
@ -233,12 +229,6 @@ public class LaunchedURLClassLoader extends URLClassLoader {
// Ignore
}
}
return null;
}, AccessController.getContext());
}
catch (java.security.PrivilegedActionException ex) {
// Ignore
}
}
@Override

@ -128,9 +128,7 @@ public class JarFile extends AbstractJarFile implements Iterable<java.util.jar.J
private JarFile(RandomAccessDataFile rootFile, String pathFromRoot, RandomAccessData data, JarEntryFilter filter,
JarFileType type, Supplier<Manifest> manifestSupplier) throws IOException {
super(rootFile.getFile());
if (System.getSecurityManager() == null) {
super.close();
}
this.rootFile = rootFile;
this.pathFromRoot = pathFromRoot;
CentralDirectoryParser parser = new CentralDirectoryParser();

@ -40,10 +40,8 @@ class JarFileWrapper extends AbstractJarFile {
JarFileWrapper(JarFile parent) throws IOException {
super(parent.getRootJarFile().getFile());
this.parent = parent;
if (System.getSecurityManager() == null) {
super.close();
}
}
@Override
URL getUrl() throws MalformedURLException {

@ -16,7 +16,6 @@
package org.springframework.boot;
import java.security.AccessControlException;
import java.util.Collections;
import java.util.IdentityHashMap;
import java.util.LinkedHashSet;
@ -84,13 +83,8 @@ class SpringApplicationShutdownHook implements Runnable {
}
void addRuntimeShutdownHook() {
try {
Runtime.getRuntime().addShutdownHook(new Thread(this, "SpringApplicationShutdownHook"));
}
catch (AccessControlException ex) {
// Not allowed in some environments
}
}
@Override
public void run() {

@ -82,7 +82,6 @@ public class TomcatEmbeddedWebappClassLoader extends ParallelWebappClassLoader {
}
private Class<?> doLoadClass(String name) throws ClassNotFoundException {
checkPackageAccess(name);
if ((this.delegate || filter(name, true))) {
Class<?> result = loadFromParent(name);
return (result != null) ? result : findClassIgnoringNotFound(name);
@ -127,15 +126,4 @@ public class TomcatEmbeddedWebappClassLoader extends ParallelWebappClassLoader {
}
}
private void checkPackageAccess(String name) throws ClassNotFoundException {
if (this.securityManager != null && name.lastIndexOf('.') >= 0) {
try {
this.securityManager.checkPackageAccess(name.substring(0, name.lastIndexOf('.')));
}
catch (SecurityException ex) {
throw new ClassNotFoundException("Security Violation, attempt to use Restricted Class: " + name, ex);
}
}
}
}

Loading…
Cancel
Save