8352728: InternalError loading java.security due to Windows parent folder permissions

franferrax · franferrax · commit 308479dd767e · 2025-04-09T19:13:55.000+02:00
diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
@@ -265,13 +265,19 @@ static void loadInclude(String propFile) {
         private static void loadFromPath(Path path, LoadingMode mode)
                 throws IOException {
             boolean isRegularFile = Files.isRegularFile(path);
-            if (isRegularFile) {
-                path = path.toRealPath();
-            } else if (Files.isDirectory(path)) {
+            if (!isRegularFile && Files.isDirectory(path)) {
                 throw new IOException("Is a directory");
-            } else {
-                path = path.toAbsolutePath();
             }
+            // For path canonicalization, we prefer
+            // java.io.File::getCanonicalPath over
+            // java.nio.file.Path::toRealPath because of the following reasons:
+            //   1. In Windows, File::getCanonicalPath handles restricted
+            //      permissions in parent directories. Contrarily,
+            //      Path::toRealPath fails with AccessDeniedException.
+            //   2. In Linux, File::getCanonicalPath handles non-regular files
+            //      (e.g. /dev/stdin). Contrarily, Path::toRealPath fails with
+            //      NoSuchFileException.
+            path = Path.of(path.toFile().getCanonicalPath());
             if (activePaths.contains(path)) {
                 throw new InternalError("Cyclic include of '" + path + "'");
             }
diff --git a/test/jdk/java/security/Security/ConfigFileTestDirPermissions.java b/test/jdk/java/security/Security/ConfigFileTestDirPermissions.java
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 2025, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import jdk.test.lib.process.ProcessTools;
+import jdk.test.lib.util.FileUtils;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.attribute.AclEntry;
+import java.nio.file.attribute.AclEntryType;
+import java.nio.file.attribute.AclFileAttributeView;
+import java.util.List;
+
+/*
+ * @test
+ * @summary Ensures java.security is loadable in Windows, even when the user
+ * does not have permissions on one of the parent directories.
+ * @bug 8352728
+ * @requires os.family == "windows"
+ * @library /test/lib
+ * @run main ConfigFileTestDirPermissions
+ */
+
+public class ConfigFileTestDirPermissions {
+    public static void main(String[] args) throws Exception {
+        Path temp = Files.createTempDirectory("JDK-8352728-tmp-");
+        try {
+            // Copy the jdk to a different directory
+            Path originalJdk = Path.of(System.getProperty("test.jdk"));
+            Path jdk = temp.resolve("jdk-parent-dir", "jdk");
+            Files.createDirectories(jdk);
+            FileUtils.copyDirectory(originalJdk, jdk);
+
+            // Remove current user permissions from jdk-parent-dir
+            Path parent = jdk.getParent();
+            AclFileAttributeView view = Files.getFileAttributeView(parent,
+                    AclFileAttributeView.class);
+            List<AclEntry> originalAcl = List.copyOf(view.getAcl());
+            view.setAcl(List.of(AclEntry.newBuilder().setType(AclEntryType.DENY)
+                    .setPrincipal(Files.getOwner(parent)).build()));
+
+            try {
+                // Make sure the permissions are affecting the current user
+                try {
+                    jdk.toRealPath();
+                    throw new jtreg.SkippedException("Must run non-elevated!");
+                } catch (IOException expected) { }
+
+                // Execute the copied jdk, ensuring java.security.Security is
+                // loaded (i.e. use -XshowSettings:security:properties)
+                ProcessTools.executeProcess(new ProcessBuilder(
+                        List.of(jdk.resolve("bin", "java.exe").toString(),
+                                "-Djava.security.debug=properties",
+                                "-XshowSettings:security:properties",
+                                "-version"))).shouldHaveExitValue(0);
+            } finally {
+                view.setAcl(originalAcl);
+            }
+        } finally {
+            FileUtils.deleteFileTreeUnchecked(temp);
+        }
+
+        System.out.println("TEST PASS - OK");
+    }
+}
