Loaded JARs require an additional read permissions on the main java when used with a SecurityManager

[philwebb]

See #21073 (comment)

---

Hello!
With 2.2.7 we now face a problem with the security manager enabled (OpenJDK 11). It seems loaded JARs now need to have additional read permissions on the boot jar. Our situation is the following:

We have 3 modules:

1. The Spring Boot app (spring-boot-app.jar)
2. API (api.jar)
3. Plugin (plugin.jar)

The final BOOT JAR (spring-boot-app.jar) contains the Spring Boot app as well as the API (api.jar). The plugin (plugin.jar) is a separate JAR that gets loaded during runtime. It also has a dependency on the API (api.jar). From 2.2.7, the loaded plugin from outside the Spring Boot app now requires permissions to read the BOOT JAR (spring-boot-app.jar):

java.security.AccessControlException: access denied ("java.io.FilePermission" "/spring-boot-app.jar" "read")
        at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.base/java.security.AccessController.checkPermission(AccessController.java:897)
        at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
        at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:661)
        at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:236)
        at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:177)
        at java.base/java.util.jar.JarFile.<init>(JarFile.java:348)
        at java.base/java.util.jar.JarFile.<init>(JarFile.java:319)
        at java.base/java.util.jar.JarFile.<init>(JarFile.java:285)
        at org.springframework.boot.loader.jar.JarFile.<init>(JarFile.java:113)
        at org.springframework.boot.loader.jar.JarURLConnection.get(JarURLConnection.java:269)
        at org.springframework.boot.loader.jar.Handler.openConnection(Handler.java:81)
        at java.base/java.net.URL.openConnection(URL.java:1074)
        at org.springframework.boot.loader.LaunchedURLClassLoader.lambda$definePackage$0(LaunchedURLClassLoader.java:134)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.springframework.boot.loader.LaunchedURLClassLoader.definePackage(LaunchedURLClassLoader.java:129)
        at org.springframework.boot.loader.LaunchedURLClassLoader.definePackageIfNecessary(LaunchedURLClassLoader.java:111)
        at org.springframework.boot.loader.LaunchedURLClassLoader.loadClass(LaunchedURLClassLoader.java:81)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:576)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
        ....

grant codeBase "file:/plugin.jar" {
    permission java.net.SocketPermission "*","connect,resolve";
    permission java.net.URLPermission "http:*","*:*";
    permission java.net.URLPermission "https:*","*:*";
};


grant codeBase "file:/spring-boot-app.jar" {
    permission java.security.AllPermission;
};

We couldn't find the root cause but suspect this commit since we could narrow this behavior down to v2.2.7. We fixed this by providing the file permission to plugin.jar:

grant codeBase "file:/plugin.jar" {
    permission java.io.FilePermission "/spring-boot-app.jar","read";
};
...

It would be nice if one of you could have a look if that is a bug or the new intended behavior. We just wanted to drop a short comment about this problem we face since it took us a long time to track it down.

Best regards,
David

[wilkinsona]

Given that SecurityManager has been deprecated for removal in Java 17, I wonder if it's worth spending time on this. The benefit will be relatively short-lived as I would hope that the deprecation is taken as a signal to move away from relying on the security manager, even when using older JVMs.

[snicoll]

I was about to write a similar comment so +1 for closing this one.

[bclozel]

Given the previous comments and the lack of demand for this, we're closing this issue.