8230946: Clarify security manager behaviour of a connected DatagramSocket and DatagramChannel
authorpconcannon
Tue, 08 Oct 2019 14:56:46 +0100
changeset 58501 6fc4a729763e
parent 58500 03165abce4cc
child 58502 7cb1218ef4d0
8230946: Clarify security manager behaviour of a connected DatagramSocket and DatagramChannel Summary: Update to API, to clarify that packets are dropped in the receive method of non-connected sockets if they fail the security manager checks Reviewed-by: alanb, chegar, dfuchs
src/java.base/share/classes/java/net/DatagramSocket.java
src/java.base/share/classes/java/nio/channels/DatagramChannel.java
--- a/src/java.base/share/classes/java/net/DatagramSocket.java	Tue Oct 08 15:43:38 2019 +0200
+++ b/src/java.base/share/classes/java/net/DatagramSocket.java	Tue Oct 08 14:56:46 2019 +0100
@@ -434,14 +434,15 @@
      * verify that datagrams are permitted to be sent and received
      * respectively.
      *
-     * <p> When a socket is connected, {@link #receive receive} and
-     * {@link #send send} <b>will not perform any security checks</b>
-     * on incoming and outgoing packets, other than matching the packet's
-     * and the socket's address and port. On a send operation, if the
-     * packet's address is set and the packet's address and the socket's
-     * address do not match, an {@code IllegalArgumentException} will be
-     * thrown. A socket connected to a multicast address may only be used
-     * to send packets.
+     * <p> Care should be taken to ensure that a connected datagram socket
+     * is not shared with untrusted code. When a socket is connected,
+     * {@link #receive receive} and {@link #send send} <b>will not perform
+     * any security checks</b> on incoming and outgoing packets, other than
+     * matching the packet's and the socket's address and port. On a send
+     * operation, if the packet's address is set and the packet's address
+     * and the socket's address do not match, an {@code IllegalArgumentException}
+     * will be thrown. A socket connected to a multicast address may only
+     * be used to send packets.
      *
      * @param address the remote address for the socket
      *
@@ -708,9 +709,11 @@
      * the length of the received message. If the message is longer than
      * the packet's length, the message is truncated.
      * <p>
-     * If there is a security manager, a packet cannot be received if the
-     * security manager's {@code checkAccept} method
-     * does not allow it.
+     * If there is a security manager, and the socket is not currently
+     * connected to a remote address, a packet cannot be received if the
+     * security manager's {@code checkAccept} method does not allow it.
+     * Datagrams that are not permitted by the security manager are silently
+     * discarded.
      *
      * @param      p   the {@code DatagramPacket} into which to place
      *                 the incoming data.
--- a/src/java.base/share/classes/java/nio/channels/DatagramChannel.java	Tue Oct 08 15:43:38 2019 +0200
+++ b/src/java.base/share/classes/java/nio/channels/DatagramChannel.java	Tue Oct 08 14:56:46 2019 +0100
@@ -265,7 +265,10 @@
      * java.lang.SecurityManager#checkAccept checkAccept} and {@link
      * java.lang.SecurityManager#checkConnect checkConnect} methods permit
      * datagrams to be received from and sent to, respectively, the given
-     * remote address.
+     * remote address. Once connected, no further security checks are performed
+     * for datagrams received from, or sent to, the given remote address. Care
+     * should be taken to ensure that a connected datagram channel is not shared
+     * with untrusted code.
      *
      * <p> This method may be invoked at any time.  It will not have any effect
      * on read or write operations that are already in progress at the moment
@@ -369,9 +372,10 @@
      * to a specific remote address and a security manager has been installed
      * then for each datagram received this method verifies that the source's
      * address and port number are permitted by the security manager's {@link
-     * java.lang.SecurityManager#checkAccept checkAccept} method.  The overhead
-     * of this security check can be avoided by first connecting the socket via
-     * the {@link #connect connect} method.
+     * java.lang.SecurityManager#checkAccept checkAccept} method. Datagrams
+     * that are not permitted by the security manager are silently discarded.
+     * The overhead of this security check can be avoided by first connecting
+     * the socket via the {@link #connect connect} method.
      *
      * <p> This method may be invoked at any time.  If another thread has
      * already initiated a read operation upon this channel, however, then an
@@ -401,11 +405,6 @@
      *          closing the channel and setting the current thread's
      *          interrupt status
      *
-     * @throws  SecurityException
-     *          If a security manager has been installed
-     *          and it does not permit datagrams to be accepted
-     *          from the datagram's sender
-     *
      * @throws  IOException
      *          If some other I/O error occurs
      */