8191139: Remove deprecated javax.security.auth.Policy API
authorweijun
Thu, 08 Mar 2018 12:20:26 +0800
changeset 49150 a4a816f88e58
parent 49149 217780dff1bf
child 49151 a7d2f0dd9c1f
8191139: Remove deprecated javax.security.auth.Policy API Reviewed-by: mullan
src/java.base/share/classes/javax/security/auth/AuthPermission.java
src/java.base/share/classes/javax/security/auth/Policy.java
src/java.base/share/classes/javax/security/auth/SubjectDomainCombiner.java
src/java.base/share/classes/sun/security/provider/AuthPolicyFile.java
src/java.base/share/classes/sun/security/provider/PolicyFile.java
src/java.base/share/classes/sun/security/util/Resources.java
--- a/src/java.base/share/classes/javax/security/auth/AuthPermission.java	Thu Mar 08 11:44:43 2018 +0800
+++ b/src/java.base/share/classes/javax/security/auth/AuthPermission.java	Thu Mar 08 12:20:26 2018 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,7 +32,7 @@
  *
  * <p> The target name is the name of a security configuration parameter
  * (see below).  Currently the {@code AuthPermission} object is used to
- * guard access to the {@link Policy}, {@link Subject},
+ * guard access to the {@link Subject},
  * {@link javax.security.auth.login.LoginContext}, and
  * {@link javax.security.auth.login.Configuration} objects.
  *
@@ -121,21 +121,6 @@
  *                              {@code LoginContext}.
  * </pre>
  *
- * <p> {@code javax.security.auth.Policy} has been
- * deprecated in favor of {@code java.security.Policy}.
- * Therefore, the following target names have also been deprecated:
- *
- * <pre>
- *      getPolicy -             allow the caller to retrieve the system-wide
- *                              Subject-based access control policy.
- *
- *      setPolicy -             allow the caller to set the system-wide
- *                              Subject-based access control policy.
- *
- *      refreshPolicy -         allow the caller to refresh the system-wide
- *                              Subject-based access control policy.
- * </pre>
- *
  * @implNote
  * Implementations may define additional target names, but should use naming
  * conventions such as reverse domain name notation to avoid name clashes.
--- a/src/java.base/share/classes/javax/security/auth/Policy.java	Thu Mar 08 11:44:43 2018 +0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,356 +0,0 @@
-/*
- * Copyright (c) 1998, 2017, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package javax.security.auth;
-
-import java.security.Security;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
-import java.security.PrivilegedExceptionAction;
-import java.util.Objects;
-import sun.security.util.Debug;
-
-/**
- * <p> This is an abstract class for representing the system policy for
- * Subject-based authorization.  A subclass implementation
- * of this class provides a means to specify a Subject-based
- * access control {@code Policy}.
- *
- * <p> A {@code Policy} object can be queried for the set of
- * Permissions granted to code running as a
- * {@code Principal} in the following manner:
- *
- * <pre>
- *      policy = Policy.getPolicy();
- *      PermissionCollection perms = policy.getPermissions(subject,
- *                                                      codeSource);
- * </pre>
- *
- * The {@code Policy} object consults the local policy and returns
- * and appropriate {@code Permissions} object with the
- * Permissions granted to the Principals associated with the
- * provided {@code subject}, and granted to the code specified
- * by the provided {@code codeSource}.
- *
- * <p> A {@code Policy} contains the following information.
- * Note that this example only represents the syntax for the default
- * {@code Policy} implementation. Subclass implementations of this class
- * may implement alternative syntaxes and may retrieve the
- * {@code Policy} from any source such as files, databases,
- * or servers.
- *
- * <p> Each entry in the {@code Policy} is represented as
- * a <b><i>grant</i></b> entry.  Each <b><i>grant</i></b> entry
- * specifies a codebase, code signers, and Principals triplet,
- * as well as the Permissions granted to that triplet.
- *
- * <pre>
- *      grant CodeBase ["URL"], Signedby ["signers"],
- *            Principal [Principal_Class] "Principal_Name" {
- *          Permission Permission_Class ["Target_Name"]
- *                                      [, "Permission_Actions"]
- *                                      [, signedBy "SignerName"];
- *      };
- * </pre>
- *
- * The CodeBase and Signedby components of the triplet name/value pairs
- * are optional.  If they are not present, then any codebase will match,
- * and any signer (including unsigned code) will match.
- * For Example,
- *
- * <pre>
- *      grant CodeBase "foo.com", Signedby "foo",
- *            Principal com.sun.security.auth.UnixPrincipal "duke" {
- *          permission java.io.FilePermission "/home/duke", "read, write";
- *      };
- * </pre>
- *
- * This <b><i>grant</i></b> entry specifies that code from "foo.com",
- * signed by "foo', and running as a {@code UnixPrincipal} with the
- * name, duke, has one {@code Permission}.  This {@code Permission}
- * permits the executing code to read and write files in the directory,
- * "/home/duke".
- *
- * <p> To "run" as a particular {@code Principal},
- * code invokes the {@code Subject.doAs(subject, ...)} method.
- * After invoking that method, the code runs as all the Principals
- * associated with the specified {@code Subject}.
- * Note that this {@code Policy} (and the Permissions
- * granted in this {@code Policy}) only become effective
- * after the call to {@code Subject.doAs} has occurred.
- *
- * <p> Multiple Principals may be listed within one <b><i>grant</i></b> entry.
- * All the Principals in the grant entry must be associated with
- * the {@code Subject} provided to {@code Subject.doAs}
- * for that {@code Subject} to be granted the specified Permissions.
- *
- * <pre>
- *      grant Principal com.sun.security.auth.UnixPrincipal "duke",
- *            Principal com.sun.security.auth.UnixNumericUserPrincipal "0" {
- *          permission java.io.FilePermission "/home/duke", "read, write";
- *          permission java.net.SocketPermission "duke.com", "connect";
- *      };
- * </pre>
- *
- * This entry grants any code running as both "duke" and "0"
- * permission to read and write files in duke's home directory,
- * as well as permission to make socket connections to "duke.com".
- *
- * <p> Note that non Principal-based grant entries are not permitted
- * in this {@code Policy}.  Therefore, grant entries such as:
- *
- * <pre>
- *      grant CodeBase "foo.com", Signedby "foo" {
- *          permission java.io.FilePermission "/tmp/scratch", "read, write";
- *      };
- * </pre>
- *
- * are rejected.  Such permission must be listed in the
- * {@code java.security.Policy}.
- *
- * <p> The default {@code Policy} implementation can be changed by
- * setting the value of the {@code auth.policy.provider} security property to
- * the fully qualified name of the desired {@code Policy} implementation class.
- *
- * @deprecated  Replaced by java.security.Policy.
- *              java.security.Policy has a method:
- * <pre>
- *      public PermissionCollection getPermissions
- *          (java.security.ProtectionDomain pd)
- *
- * </pre>
- * and ProtectionDomain has a constructor:
- * <pre>
- *      public ProtectionDomain
- *          (CodeSource cs,
- *           PermissionCollection permissions,
- *           ClassLoader loader,
- *           Principal[] principals)
- * </pre>
- *
- * These two APIs provide callers the means to query the
- * Policy for Principal-based Permission entries.
- * This class is subject to removal in a future version of Java SE.
- *
- * @since 1.4
- * @see java.security.Security security properties
- */
-@Deprecated(since="1.4", forRemoval=true)
-public abstract class Policy {
-
-    private static Policy policy;
-    private static final String AUTH_POLICY =
-        "sun.security.provider.AuthPolicyFile";
-
-    private final java.security.AccessControlContext acc =
-            java.security.AccessController.getContext();
-
-    // true if a custom (not AUTH_POLICY) system-wide policy object is set
-    private static boolean isCustomPolicy;
-
-    /**
-     * Sole constructor.  (For invocation by subclass constructors, typically
-     * implicit.)
-     */
-    protected Policy() { }
-
-    /**
-     * Returns the installed Policy object.
-     * This method first calls
-     * {@code SecurityManager.checkPermission} with the
-     * {@code AuthPermission("getPolicy")} permission
-     * to ensure the caller has permission to get the Policy object.
-     *
-     * @return the installed Policy.  The return value cannot be
-     *          {@code null}.
-     *
-     * @exception java.lang.SecurityException if the current thread does not
-     *      have permission to get the Policy object.
-     *
-     * @see #setPolicy
-     */
-    public static Policy getPolicy() {
-        java.lang.SecurityManager sm = System.getSecurityManager();
-        if (sm != null) sm.checkPermission(new AuthPermission("getPolicy"));
-        return getPolicyNoCheck();
-    }
-
-    /**
-     * Returns the installed Policy object, skipping the security check.
-     *
-     * @return the installed Policy.
-     *
-     */
-    static Policy getPolicyNoCheck() {
-        if (policy == null) {
-
-            synchronized(Policy.class) {
-
-                if (policy == null) {
-                    String policy_class = null;
-                    policy_class = AccessController.doPrivileged
-                        (new PrivilegedAction<String>() {
-                        public String run() {
-                            return java.security.Security.getProperty
-                                ("auth.policy.provider");
-                        }
-                    });
-                    if (policy_class == null) {
-                        policy_class = AUTH_POLICY;
-                    }
-
-                    try {
-                        final String finalClass = policy_class;
-
-                        Policy untrustedImpl = AccessController.doPrivileged(
-                                new PrivilegedExceptionAction<Policy>() {
-                                    public Policy run() throws ClassNotFoundException,
-                                            InstantiationException,
-                                            IllegalAccessException {
-                                        Class<? extends Policy> implClass = Class.forName(
-                                                finalClass, false,
-                                                Thread.currentThread().getContextClassLoader()
-                                        ).asSubclass(Policy.class);
-                                        return implClass.newInstance();
-                                    }
-                                });
-                        AccessController.doPrivileged(
-                                new PrivilegedExceptionAction<Void>() {
-                                    public Void run() {
-                                        setPolicy(untrustedImpl);
-                                        isCustomPolicy = !finalClass.equals(AUTH_POLICY);
-                                        return null;
-                                    }
-                                }, Objects.requireNonNull(untrustedImpl.acc)
-                        );
-                    } catch (Exception e) {
-                        throw new SecurityException
-                                (sun.security.util.ResourcesMgr.getString
-                                ("unable.to.instantiate.Subject.based.policy"));
-                    }
-                }
-            }
-        }
-        return policy;
-    }
-
-
-    /**
-     * Sets the system-wide Policy object. This method first calls
-     * {@code SecurityManager.checkPermission} with the
-     * {@code AuthPermission("setPolicy")}
-     * permission to ensure the caller has permission to set the Policy.
-     *
-     * @param policy the new system Policy object.
-     *
-     * @exception java.lang.SecurityException if the current thread does not
-     *          have permission to set the Policy.
-     *
-     * @see #getPolicy
-     */
-    public static void setPolicy(Policy policy) {
-        java.lang.SecurityManager sm = System.getSecurityManager();
-        if (sm != null) sm.checkPermission(new AuthPermission("setPolicy"));
-        Policy.policy = policy;
-        // all non-null policy objects are assumed to be custom
-        isCustomPolicy = policy != null ? true : false;
-    }
-
-    /**
-     * Returns true if a custom (not AUTH_POLICY) system-wide policy object
-     * has been set or installed. This method is called by
-     * SubjectDomainCombiner to provide backwards compatibility for
-     * developers that provide their own javax.security.auth.Policy
-     * implementations.
-     *
-     * @return true if a custom (not AUTH_POLICY) system-wide policy object
-     * has been set; false otherwise
-     */
-    static boolean isCustomPolicySet(Debug debug) {
-        if (policy != null) {
-            if (debug != null && isCustomPolicy) {
-                debug.println("Providing backwards compatibility for " +
-                              "javax.security.auth.policy implementation: " +
-                              policy.toString());
-            }
-            return isCustomPolicy;
-        }
-        // check if custom policy has been set using auth.policy.provider prop
-        String policyClass = java.security.AccessController.doPrivileged
-            (new java.security.PrivilegedAction<String>() {
-                public String run() {
-                    return Security.getProperty("auth.policy.provider");
-                }
-        });
-        if (policyClass != null && !policyClass.equals(AUTH_POLICY)) {
-            if (debug != null) {
-                debug.println("Providing backwards compatibility for " +
-                              "javax.security.auth.policy implementation: " +
-                              policyClass);
-            }
-            return true;
-        }
-        return false;
-    }
-
-    /**
-     * Retrieve the Permissions granted to the Principals associated with
-     * the specified {@code CodeSource}.
-     *
-     * @param subject the {@code Subject}
-     *                  whose associated Principals,
-     *                  in conjunction with the provided
-     *                  {@code CodeSource}, determines the Permissions
-     *                  returned by this method.  This parameter
-     *                  may be {@code null}.
-     *
-     * @param cs the code specified by its {@code CodeSource}
-     *                  that determines, in conjunction with the provided
-     *                  {@code Subject}, the Permissions
-     *                  returned by this method.  This parameter may be
-     *                  {@code null}.
-     *
-     * @return the Collection of Permissions granted to all the
-     *                  {@code Subject} and code specified in
-     *                  the provided <i>subject</i> and <i>cs</i>
-     *                  parameters.
-     */
-    public abstract java.security.PermissionCollection getPermissions
-                                        (Subject subject,
-                                        java.security.CodeSource cs);
-
-    /**
-     * Refresh and reload the Policy.
-     *
-     * <p>This method causes this object to refresh/reload its current
-     * Policy. This is implementation-dependent.
-     * For example, if the Policy object is stored in
-     * a file, calling {@code refresh} will cause the file to be re-read.
-     *
-     * @exception SecurityException if the caller does not have permission
-     *                          to refresh the Policy.
-     */
-    public abstract void refresh();
-}
--- a/src/java.base/share/classes/javax/security/auth/SubjectDomainCombiner.java	Thu Mar 08 11:44:43 2018 +0800
+++ b/src/java.base/share/classes/javax/security/auth/SubjectDomainCombiner.java	Thu Mar 08 12:20:26 2018 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,13 +26,9 @@
 package javax.security.auth;
 
 import java.security.AccessController;
-import java.security.Permission;
-import java.security.Permissions;
-import java.security.PermissionCollection;
 import java.security.Principal;
 import java.security.PrivilegedAction;
 import java.security.ProtectionDomain;
-import java.security.Security;
 import java.util.Set;
 import java.util.WeakHashMap;
 import java.lang.ref.WeakReference;
@@ -56,15 +52,6 @@
         sun.security.util.Debug.getInstance("combiner",
                                         "\t[SubjectDomainCombiner]");
 
-    @SuppressWarnings({"deprecation", "removal"})
-    // Note: check only at classloading time, not dynamically during combine()
-    private static final boolean useJavaxPolicy =
-        javax.security.auth.Policy.isCustomPolicySet(debug);
-
-    // Relevant only when useJavaxPolicy is true
-    private static final boolean allowCaching =
-                                        (useJavaxPolicy && cachePolicy());
-
     /**
      * Associate the provided {@code Subject} with this
      * {@code SubjectDomainCombiner}.
@@ -196,12 +183,6 @@
             return null;
         }
 
-        // maintain backwards compatibility for developers who provide
-        // their own custom javax.security.auth.Policy implementations
-        if (useJavaxPolicy) {
-            return combineJavaxPolicy(currentDomains, assignedDomains);
-        }
-
         int cLen = (currentDomains == null ? 0 : currentDomains.length);
         int aLen = (assignedDomains == null ? 0 : assignedDomains.length);
 
@@ -292,151 +273,6 @@
         }
     }
 
-    /**
-     * Use the javax.security.auth.Policy implementation
-     */
-    private ProtectionDomain[] combineJavaxPolicy(
-        ProtectionDomain[] currentDomains,
-        ProtectionDomain[] assignedDomains) {
-
-        if (!allowCaching) {
-            java.security.AccessController.doPrivileged
-                (new PrivilegedAction<Void>() {
-                    @SuppressWarnings({"deprecation", "removal"})
-                    public Void run() {
-                        // Call refresh only caching is disallowed
-                        javax.security.auth.Policy.getPolicy().refresh();
-                        return null;
-                    }
-                });
-        }
-
-
-        int cLen = (currentDomains == null ? 0 : currentDomains.length);
-        int aLen = (assignedDomains == null ? 0 : assignedDomains.length);
-
-        // the ProtectionDomains for the new AccessControlContext
-        // that we will return
-        ProtectionDomain[] newDomains = new ProtectionDomain[cLen + aLen];
-
-        synchronized(cachedPDs) {
-            if (!subject.isReadOnly() &&
-                !subject.getPrincipals().equals(principalSet)) {
-
-                // if the Subject was mutated, clear the PD cache
-                Set<Principal> newSet = subject.getPrincipals();
-                synchronized(newSet) {
-                    principalSet = new java.util.HashSet<Principal>(newSet);
-                }
-                principals = principalSet.toArray
-                        (new Principal[principalSet.size()]);
-                cachedPDs.clear();
-
-                if (debug != null) {
-                    debug.println("Subject mutated - clearing cache");
-                }
-            }
-
-            for (int i = 0; i < cLen; i++) {
-                ProtectionDomain pd = currentDomains[i];
-                ProtectionDomain subjectPd = cachedPDs.getValue(pd);
-
-                if (subjectPd == null) {
-                    if (pd.staticPermissionsOnly()) {
-                        // keep static ProtectionDomain objects static
-                        subjectPd = pd;
-                    } else {
-                        // XXX
-                        // we must first add the original permissions.
-                        // that way when we later add the new JAAS permissions,
-                        // any unresolved JAAS-related permissions will
-                        // automatically get resolved.
-
-                        // get the original perms
-                        Permissions perms = new Permissions();
-                        PermissionCollection coll = pd.getPermissions();
-                        java.util.Enumeration<Permission> e;
-                        if (coll != null) {
-                            synchronized (coll) {
-                                e = coll.elements();
-                                while (e.hasMoreElements()) {
-                                    Permission newPerm =
-                                        e.nextElement();
-                                    perms.add(newPerm);
-                                }
-                            }
-                        }
-
-                        // get perms from the policy
-                        final java.security.CodeSource finalCs = pd.getCodeSource();
-                        final Subject finalS = subject;
-                        PermissionCollection newPerms =
-                            java.security.AccessController.doPrivileged
-                            (new PrivilegedAction<PermissionCollection>() {
-                            @SuppressWarnings({"deprecation", "removal"})
-                            public PermissionCollection run() {
-                                return
-                                    javax.security.auth.Policy.getPolicy().getPermissions
-                                    (finalS, finalCs);
-                            }
-                        });
-
-                        // add the newly granted perms,
-                        // avoiding duplicates
-                        synchronized (newPerms) {
-                            e = newPerms.elements();
-                            while (e.hasMoreElements()) {
-                                Permission newPerm = e.nextElement();
-                                if (!perms.implies(newPerm)) {
-                                    perms.add(newPerm);
-                                    if (debug != null)
-                                        debug.println (
-                                            "Adding perm " + newPerm + "\n");
-                                }
-                            }
-                        }
-                        subjectPd = new ProtectionDomain
-                            (finalCs, perms, pd.getClassLoader(), principals);
-                    }
-                    if (allowCaching)
-                        cachedPDs.putValue(pd, subjectPd);
-                }
-                newDomains[i] = subjectPd;
-            }
-        }
-
-        if (debug != null) {
-            debug.println("updated current: ");
-            for (int i = 0; i < cLen; i++) {
-                debug.println("\tupdated[" + i + "] = " + newDomains[i]);
-            }
-        }
-
-        // now add on the assigned domains
-        if (aLen > 0) {
-            System.arraycopy(assignedDomains, 0, newDomains, cLen, aLen);
-        }
-
-        if (debug != null) {
-            if (newDomains == null || newDomains.length == 0) {
-                debug.println("returning null");
-            } else {
-                debug.println("combinedDomains: ");
-                for (int i = 0; i < newDomains.length; i++) {
-                    debug.println("newDomain " + i + ": " +
-                        newDomains[i].toString());
-                }
-            }
-        }
-
-        // return the new ProtectionDomains
-        if (newDomains == null || newDomains.length == 0) {
-            return null;
-        } else {
-            return newDomains;
-        }
-    }
-
     private static ProtectionDomain[] optimize(ProtectionDomain[] domains) {
         if (domains == null || domains.length == 0)
             return null;
@@ -476,21 +312,6 @@
         return ((num == 0 || optimized.length == 0) ? null : optimized);
     }
 
-    private static boolean cachePolicy() {
-        String s = AccessController.doPrivileged
-            (new PrivilegedAction<String>() {
-            public String run() {
-                return Security.getProperty("cache.auth.policy");
-            }
-        });
-        if (s != null) {
-            return Boolean.parseBoolean(s);
-        }
-
-        // cache by default
-        return true;
-    }
-
     private static void printInputDomains(ProtectionDomain[] currentDomains,
                                 ProtectionDomain[] assignedDomains) {
         if (currentDomains == null || currentDomains.length == 0) {
--- a/src/java.base/share/classes/sun/security/provider/AuthPolicyFile.java	Thu Mar 08 11:44:43 2018 +0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,1197 +0,0 @@
-/*
- * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.provider;
-
-import java.io.*;
-import java.lang.reflect.*;
-import java.net.URL;
-import java.util.*;
-
-import java.security.AccessController;
-import java.security.CodeSource;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.Permission;
-import java.security.Permissions;
-import java.security.PermissionCollection;
-import java.security.Principal;
-import java.security.PrivilegedAction;
-import java.security.UnresolvedPermission;
-import java.security.Security;
-import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
-
-import javax.security.auth.Subject;
-import javax.security.auth.PrivateCredentialPermission;
-
-import sun.security.provider.PolicyParser.GrantEntry;
-import sun.security.provider.PolicyParser.PermissionEntry;
-import sun.security.provider.PolicyParser.PrincipalEntry;
-import sun.security.util.Debug;
-import sun.security.util.PolicyUtil;
-import sun.security.util.PropertyExpander;
-
-/**
- * See {@code com.sun.security.auth.PolicyFile} for the class description.
- * This class is necessary in order to support a default
- * {@code javax.security.auth.Policy} implementation on the compact1 and
- * compact2 profiles.
- *
- * @deprecated As of JDK&nbsp;1.4, replaced by
- *             {@code sun.security.provider.PolicyFile}.
- *             This class is entirely deprecated.
- */
-@Deprecated
-@SuppressWarnings("removal")
-public class AuthPolicyFile extends javax.security.auth.Policy {
-
-    static final ResourceBundle rb =
-        AccessController.doPrivileged(new PrivilegedAction<ResourceBundle>() {
-            @Override public ResourceBundle run() {
-                return (ResourceBundle.getBundle
-                        ("sun.security.util.AuthResources"));
-            }
-        });
-
-    private static final Debug debug = Debug.getInstance("policy",
-                                                         "\t[Auth Policy]");
-
-    private static final String AUTH_POLICY = "java.security.auth.policy";
-    private static final String SECURITY_MANAGER = "java.security.manager";
-    private static final String AUTH_POLICY_URL = "auth.policy.url.";
-
-    private Vector<PolicyEntry> policyEntries;
-    private Hashtable<Object, Object> aliasMapping;
-
-    private boolean initialized = false;
-
-    private boolean expandProperties = true;
-    private boolean ignoreIdentityScope = true;
-
-    // for use with the reflection API
-    private static final Class<?>[] PARAMS = { String.class, String.class};
-
-    /**
-     * Initializes the Policy object and reads the default policy
-     * configuration file(s) into the Policy object.
-     */
-    public AuthPolicyFile() {
-        // initialize Policy if either the AUTH_POLICY or
-        // SECURITY_MANAGER properties are set
-        String prop = System.getProperty(AUTH_POLICY);
-
-        if (prop == null) {
-            prop = System.getProperty(SECURITY_MANAGER);
-        }
-        if (prop != null) {
-            init();
-        }
-    }
-
-    private synchronized void init() {
-        if (initialized) {
-            return;
-        }
-
-        policyEntries = new Vector<PolicyEntry>();
-        aliasMapping = new Hashtable<Object, Object>(11);
-
-        initPolicyFile();
-        initialized = true;
-    }
-
-    @Override
-    public synchronized void refresh() {
-
-        java.lang.SecurityManager sm = System.getSecurityManager();
-        if (sm != null) {
-            sm.checkPermission(new javax.security.auth.AuthPermission
-                                ("refreshPolicy"));
-        }
-
-        // XXX
-        //
-        // 1)   if code instantiates PolicyFile directly, then it will need
-        //      all the permissions required for the PolicyFile initialization
-        // 2)   if code calls Policy.getPolicy, then it simply needs
-        //      AuthPermission(getPolicy), and the javax.security.auth.Policy
-        //      implementation instantiates PolicyFile in a doPrivileged block
-        // 3)   if after instantiating a Policy (either via #1 or #2),
-        //      code calls refresh, it simply needs
-        //      AuthPermission(refreshPolicy).  then PolicyFile wraps
-        //      the refresh in a doPrivileged block.
-        initialized = false;
-        AccessController.doPrivileged(new PrivilegedAction<Void>() {
-            @Override public Void run() {
-                init();
-                return null;
-            }
-        });
-    }
-
-    private KeyStore initKeyStore(URL policyUrl, String keyStoreName,
-                                  String keyStoreType) {
-        if (keyStoreName != null) {
-            try {
-                /*
-                 * location of keystore is specified as absolute URL in policy
-                 * file, or is relative to URL of policy file
-                 */
-                URL keyStoreUrl = null;
-                try {
-                    keyStoreUrl = new URL(keyStoreName);
-                    // absolute URL
-                } catch (java.net.MalformedURLException e) {
-                    // relative URL
-                    keyStoreUrl = new URL(policyUrl, keyStoreName);
-                }
-
-                if (debug != null) {
-                    debug.println("reading keystore"+keyStoreUrl);
-                }
-
-                InputStream inStream = new BufferedInputStream(
-                    PolicyUtil.getInputStream(keyStoreUrl));
-
-                KeyStore ks;
-                if (keyStoreType != null)
-                    ks = KeyStore.getInstance(keyStoreType);
-                else
-                    ks = KeyStore.getInstance(KeyStore.getDefaultType());
-                ks.load(inStream, null);
-                inStream.close();
-                return ks;
-            } catch (Exception e) {
-                // ignore, treat it like we have no keystore
-                if (debug != null) {
-                    debug.println("Debug info only. No keystore.");
-                    e.printStackTrace();
-                }
-                return null;
-            }
-        }
-        return null;
-    }
-
-    private void initPolicyFile() {
-
-        String prop = Security.getProperty("policy.expandProperties");
-        if (prop != null) {
-            expandProperties = prop.equalsIgnoreCase("true");
-        }
-
-        String iscp = Security.getProperty("policy.ignoreIdentityScope");
-        if (iscp != null) {
-            ignoreIdentityScope = iscp.equalsIgnoreCase("true");
-        }
-
-        String allowSys = Security.getProperty("policy.allowSystemProperty");
-        if (allowSys != null && allowSys.equalsIgnoreCase("true")) {
-            String extra_policy = System.getProperty(AUTH_POLICY);
-            if (extra_policy != null) {
-                boolean overrideAll = false;
-                if (extra_policy.startsWith("=")) {
-                    overrideAll = true;
-                    extra_policy = extra_policy.substring(1);
-                }
-                try {
-                    extra_policy = PropertyExpander.expand(extra_policy);
-                    URL policyURL;
-                    File policyFile = new File(extra_policy);
-                    if (policyFile.exists()) {
-                        policyURL =
-                            new URL("file:" + policyFile.getCanonicalPath());
-                    } else {
-                        policyURL = new URL(extra_policy);
-                    }
-                    if (debug != null) {
-                        debug.println("reading " + policyURL);
-                    }
-                    init(policyURL);
-                } catch (Exception e) {
-                    // ignore.
-                    if (debug != null) {
-                        debug.println("caught exception: " + e);
-                    }
-
-                }
-                if (overrideAll) {
-                    if (debug != null) {
-                        debug.println("overriding other policies!");
-                    }
-                    return;
-                }
-            }
-        }
-
-        int n = 1;
-        boolean loaded_one = false;
-        String policy_url;
-
-        while ((policy_url = Security.getProperty(AUTH_POLICY_URL+n)) != null) {
-            try {
-                policy_url = PropertyExpander.expand(policy_url).replace
-                                                (File.separatorChar, '/');
-                if (debug != null) {
-                    debug.println("reading " + policy_url);
-                }
-                init(new URL(policy_url));
-                loaded_one = true;
-            } catch (Exception e) {
-                if (debug != null) {
-                    debug.println("Debug info only. Error reading policy " + e);
-                    e.printStackTrace();
-                }
-                // ignore that policy
-            }
-            n++;
-        }
-
-        if (loaded_one == false) {
-            // do not load a static policy
-        }
-    }
-
-    /**
-     * Checks public key. If it is marked as trusted in
-     * the identity database, add it to the policy
-     * with the AllPermission.
-     */
-    private boolean checkForTrustedIdentity(final Certificate cert) {
-        return false;
-    }
-
-    /**
-     * Reads a policy configuration into the Policy object using a
-     * Reader object.
-     *
-     * @param policyFile the policy Reader object.
-     */
-    private void init(URL policy) {
-        PolicyParser pp = new PolicyParser(expandProperties);
-        try (InputStreamReader isr
-                = new InputStreamReader(PolicyUtil.getInputStream(policy))) {
-            pp.read(isr);
-            KeyStore keyStore = initKeyStore(policy, pp.getKeyStoreUrl(),
-                                             pp.getKeyStoreType());
-            Enumeration<GrantEntry> enum_ = pp.grantElements();
-            while (enum_.hasMoreElements()) {
-                GrantEntry ge = enum_.nextElement();
-                addGrantEntry(ge, keyStore);
-            }
-        } catch (PolicyParser.ParsingException pe) {
-            System.err.println(AUTH_POLICY +
-                               rb.getString(".error.parsing.") + policy);
-            System.err.println(AUTH_POLICY + rb.getString("COLON") +
-                               pe.getMessage());
-            if (debug != null) {
-                pe.printStackTrace();
-            }
-        } catch (Exception e) {
-            if (debug != null) {
-                debug.println("error parsing " + policy);
-                debug.println(e.toString());
-                e.printStackTrace();
-            }
-        }
-    }
-
-    /**
-     * Given a PermissionEntry, create a codeSource.
-     *
-     * @return null if signedBy alias is not recognized
-     */
-    CodeSource getCodeSource(GrantEntry ge, KeyStore keyStore)
-            throws java.net.MalformedURLException
-    {
-        Certificate[] certs = null;
-        if (ge.signedBy != null) {
-            certs = getCertificates(keyStore, ge.signedBy);
-            if (certs == null) {
-                // we don't have a key for this alias,
-                // just return
-                if (debug != null) {
-                    debug.println(" no certs for alias " +
-                                       ge.signedBy + ", ignoring.");
-                }
-                return null;
-            }
-        }
-
-        URL location;
-        if (ge.codeBase != null) {
-            location = new URL(ge.codeBase);
-        } else {
-            location = null;
-        }
-
-        if (ge.principals == null || ge.principals.size() == 0) {
-            return (canonicalizeCodebase
-                        (new CodeSource(location, certs),
-                        false));
-        } else {
-            return (canonicalizeCodebase
-                (new SubjectCodeSource(null, ge.principals, location, certs),
-                false));
-        }
-    }
-
-    /**
-     * Add one policy entry to the vector.
-     */
-    private void addGrantEntry(GrantEntry ge, KeyStore keyStore) {
-
-        if (debug != null) {
-            debug.println("Adding policy entry: ");
-            debug.println("  signedBy " + ge.signedBy);
-            debug.println("  codeBase " + ge.codeBase);
-            if (ge.principals != null) {
-                for (PrincipalEntry pppe : ge.principals) {
-                    debug.println("  " + pppe.getPrincipalClass() +
-                                        " " + pppe.getPrincipalName());
-                }
-            }
-            debug.println();
-        }
-
-        try {
-            CodeSource codesource = getCodeSource(ge, keyStore);
-            // skip if signedBy alias was unknown...
-            if (codesource == null) return;
-
-            PolicyEntry entry = new PolicyEntry(codesource);
-            Enumeration<PermissionEntry> enum_ = ge.permissionElements();
-            while (enum_.hasMoreElements()) {
-                PermissionEntry pe = enum_.nextElement();
-                try {
-                    // XXX special case PrivateCredentialPermission-SELF
-                    Permission perm;
-                    if (pe.permission.equals
-                        ("javax.security.auth.PrivateCredentialPermission") &&
-                        pe.name.endsWith(" self")) {
-                        perm = getInstance(pe.permission,
-                                         pe.name + " \"self\"",
-                                         pe.action);
-                    } else {
-                        perm = getInstance(pe.permission,
-                                         pe.name,
-                                         pe.action);
-                    }
-                    entry.add(perm);
-                    if (debug != null) {
-                        debug.println("  "+perm);
-                    }
-                } catch (ClassNotFoundException cnfe) {
-                    Certificate[] certs;
-                    if (pe.signedBy != null) {
-                        certs = getCertificates(keyStore, pe.signedBy);
-                    } else {
-                        certs = null;
-                    }
-
-                    // only add if we had no signer or we had
-                    // a signer and found the keys for it.
-                    if (certs != null || pe.signedBy == null) {
-                            Permission perm = new UnresolvedPermission(
-                                             pe.permission,
-                                             pe.name,
-                                             pe.action,
-                                             certs);
-                            entry.add(perm);
-                            if (debug != null) {
-                                debug.println("  "+perm);
-                            }
-                    }
-                } catch (java.lang.reflect.InvocationTargetException ite) {
-                    System.err.println
-                        (AUTH_POLICY +
-                        rb.getString(".error.adding.Permission.") +
-                        pe.permission +
-                        rb.getString("SPACE") +
-                        ite.getTargetException());
-                } catch (Exception e) {
-                    System.err.println
-                        (AUTH_POLICY +
-                        rb.getString(".error.adding.Permission.") +
-                        pe.permission +
-                        rb.getString("SPACE") +
-                        e);
-                }
-            }
-            policyEntries.addElement(entry);
-        } catch (Exception e) {
-            System.err.println
-                (AUTH_POLICY +
-                rb.getString(".error.adding.Entry.") +
-                ge +
-                rb.getString("SPACE") +
-                e);
-        }
-
-        if (debug != null) {
-            debug.println();
-        }
-    }
-
-    /**
-     * Returns a new Permission object of the given Type. The Permission is
-     * created by getting the
-     * Class object using the <code>Class.forName</code> method, and using
-     * the reflection API to invoke the (String name, String actions)
-     * constructor on the
-     * object.
-     *
-     * @param type the type of Permission being created.
-     * @param name the name of the Permission being created.
-     * @param actions the actions of the Permission being created.
-     *
-     * @exception  ClassNotFoundException  if the particular Permission
-     *             class could not be found.
-     *
-     * @exception  IllegalAccessException  if the class or initializer is
-     *               not accessible.
-     *
-     * @exception  InstantiationException  if getInstance tries to
-     *               instantiate an abstract class or an interface, or if the
-     *               instantiation fails for some other reason.
-     *
-     * @exception  NoSuchMethodException if the (String, String) constructor
-     *               is not found.
-     *
-     * @exception  InvocationTargetException if the underlying Permission
-     *               constructor throws an exception.
-     *
-     */
-    private static final Permission getInstance(String type,
-                                    String name,
-                                    String actions)
-        throws ClassNotFoundException,
-               InstantiationException,
-               IllegalAccessException,
-               NoSuchMethodException,
-               InvocationTargetException
-    {
-        //XXX we might want to keep a hash of created factories...
-        Class<?> pc = Class.forName(type);
-        Constructor<?> c = pc.getConstructor(PARAMS);
-        return (Permission) c.newInstance(new Object[] { name, actions });
-    }
-
-    /**
-     * Fetch all certs associated with this alias.
-     */
-    Certificate[] getCertificates(KeyStore keyStore, String aliases) {
-
-        Vector<Certificate> vcerts = null;
-
-        StringTokenizer st = new StringTokenizer(aliases, ",");
-        int n = 0;
-
-        while (st.hasMoreTokens()) {
-            String alias = st.nextToken().trim();
-            n++;
-            Certificate cert = null;
-            // See if this alias's cert has already been cached
-            cert = (Certificate) aliasMapping.get(alias);
-            if (cert == null && keyStore != null) {
-
-                try {
-                    cert = keyStore.getCertificate(alias);
-                } catch (KeyStoreException kse) {
-                    // never happens, because keystore has already been loaded
-                    // when we call this
-                }
-                if (cert != null) {
-                    aliasMapping.put(alias, cert);
-                    aliasMapping.put(cert, alias);
-                }
-            }
-
-            if (cert != null) {
-                if (vcerts == null) {
-                    vcerts = new Vector<Certificate>();
-                }
-                vcerts.addElement(cert);
-            }
-        }
-
-        // make sure n == vcerts.size, since we are doing a logical *and*
-        if (vcerts != null && n == vcerts.size()) {
-            Certificate[] certs = new Certificate[vcerts.size()];
-            vcerts.copyInto(certs);
-            return certs;
-        } else {
-            return null;
-        }
-    }
-
-    /**
-     * Enumerate all the entries in the global policy object.
-     * This method is used by policy admin tools.   The tools
-     * should use the Enumeration methods on the returned object
-     * to fetch the elements sequentially.
-     */
-    private final synchronized Enumeration<PolicyEntry> elements() {
-        return policyEntries.elements();
-    }
-
-    @Override
-    public PermissionCollection getPermissions(final Subject subject,
-                                               final CodeSource codesource) {
-
-        // 1)   if code instantiates PolicyFile directly, then it will need
-        //      all the permissions required for the PolicyFile initialization
-        // 2)   if code calls Policy.getPolicy, then it simply needs
-        //      AuthPermission(getPolicy), and the javax.security.auth.Policy
-        //      implementation instantiates PolicyFile in a doPrivileged block
-        // 3)   if after instantiating a Policy (either via #1 or #2),
-        //      code calls getPermissions, PolicyFile wraps the call
-        //      in a doPrivileged block.
-        return AccessController.doPrivileged
-            (new PrivilegedAction<PermissionCollection>() {
-            @Override public PermissionCollection run() {
-                SubjectCodeSource scs = new SubjectCodeSource(
-                    subject, null,
-                    codesource == null ? null : codesource.getLocation(),
-                    codesource == null ? null : codesource.getCertificates());
-                if (initialized) {
-                    return getPermissions(new Permissions(), scs);
-                } else {
-                    return new PolicyPermissions(AuthPolicyFile.this, scs);
-                }
-            }
-        });
-    }
-
-    /**
-     * Examines the global policy for the specified CodeSource, and
-     * creates a PermissionCollection object with
-     * the set of permissions for that principal's protection domain.
-     *
-     * @param CodeSource the codesource associated with the caller.
-     * This encapsulates the original location of the code (where the code
-     * came from) and the public key(s) of its signer.
-     *
-     * @return the set of permissions according to the policy.
-     */
-    PermissionCollection getPermissions(CodeSource codesource) {
-
-        if (initialized) {
-            return getPermissions(new Permissions(), codesource);
-        } else {
-            return new PolicyPermissions(this, codesource);
-        }
-    }
-
-    /**
-     * Examines the global policy for the specified CodeSource, and
-     * creates a PermissionCollection object with
-     * the set of permissions for that principal's protection domain.
-     *
-     * @param permissions the permissions to populate
-     * @param codesource the codesource associated with the caller.
-     * This encapsulates the original location of the code (where the code
-     * came from) and the public key(s) of its signer.
-     *
-     * @return the set of permissions according to the policy.
-     */
-    Permissions getPermissions(final Permissions perms,
-                               final CodeSource cs)
-    {
-        if (!initialized) {
-            init();
-        }
-
-        final CodeSource[] codesource = {null};
-
-        codesource[0] = canonicalizeCodebase(cs, true);
-
-        if (debug != null) {
-            debug.println("evaluate(" + codesource[0] + ")\n");
-        }
-
-        // needs to be in a begin/endPrivileged block because
-        // codesource.implies calls URL.equals which does an
-        // InetAddress lookup
-
-        for (int i = 0; i < policyEntries.size(); i++) {
-
-           PolicyEntry entry = policyEntries.elementAt(i);
-
-           if (debug != null) {
-                debug.println("PolicyFile CodeSource implies: " +
-                              entry.codesource.toString() + "\n\n" +
-                              "\t" + codesource[0].toString() + "\n\n");
-           }
-
-           if (entry.codesource.implies(codesource[0])) {
-               for (int j = 0; j < entry.permissions.size(); j++) {
-                    Permission p = entry.permissions.elementAt(j);
-                    if (debug != null) {
-                        debug.println("  granting " + p);
-                    }
-                    if (!addSelfPermissions(p, entry.codesource,
-                                            codesource[0], perms)) {
-                        // we could check for duplicates
-                        // before adding new permissions,
-                        // but the SubjectDomainCombiner
-                        // already checks for duplicates later
-                        perms.add(p);
-                    }
-                }
-            }
-        }
-
-        // now see if any of the keys are trusted ids.
-
-        if (!ignoreIdentityScope) {
-            Certificate[] certs = codesource[0].getCertificates();
-            if (certs != null) {
-                for (int k=0; k < certs.length; k++) {
-                    if (aliasMapping.get(certs[k]) == null &&
-                        checkForTrustedIdentity(certs[k])) {
-                        // checkForTrustedIdentity added it
-                        // to the policy for us. next time
-                        // around we'll find it. This time
-                        // around we need to add it.
-                        perms.add(new java.security.AllPermission());
-                    }
-                }
-            }
-        }
-        return perms;
-    }
-
-    /**
-     * Returns true if 'Self' permissions were added to the provided
-     * 'perms', and false otherwise.
-     *
-     * <p>
-     *
-     * @param p check to see if this Permission is a "SELF"
-     *                  PrivateCredentialPermission. <p>
-     *
-     * @param entryCs the codesource for the Policy entry.
-     *
-     * @param accCs the codesource for from the current AccessControlContext.
-     *
-     * @param perms the PermissionCollection where the individual
-     *                  PrivateCredentialPermissions will be added.
-     */
-    private boolean addSelfPermissions(final Permission p,
-                                       CodeSource entryCs,
-                                       CodeSource accCs,
-                                       Permissions perms) {
-
-        if (!(p instanceof PrivateCredentialPermission)) {
-            return false;
-        }
-
-        if (!(entryCs instanceof SubjectCodeSource)) {
-            return false;
-        }
-
-        PrivateCredentialPermission pcp = (PrivateCredentialPermission)p;
-        SubjectCodeSource scs = (SubjectCodeSource)entryCs;
-
-        // see if it is a SELF permission
-        String[][] pPrincipals = pcp.getPrincipals();
-        if (pPrincipals.length <= 0 ||
-            !pPrincipals[0][0].equalsIgnoreCase("self") ||
-            !pPrincipals[0][1].equalsIgnoreCase("self")) {
-
-            // regular PrivateCredentialPermission
-            return false;
-        } else {
-
-            // granted a SELF permission - create a
-            // PrivateCredentialPermission for each
-            // of the Policy entry's CodeSource Principals
-
-            if (scs.getPrincipals() == null) {
-                // XXX SubjectCodeSource has no Subject???
-                return true;
-            }
-
-            for (PrincipalEntry principal : scs.getPrincipals()) {
-
-                //      if the Policy entry's Principal does not contain a
-                //              WILDCARD for the Principal name, then a
-                //              new PrivateCredentialPermission is created
-                //              for the Principal listed in the Policy entry.
-                //      if the Policy entry's Principal contains a WILDCARD
-                //              for the Principal name, then a new
-                //              PrivateCredentialPermission is created
-                //              for each Principal associated with the Subject
-                //              in the current ACC.
-
-                String[][] principalInfo = getPrincipalInfo(principal, accCs);
-
-                for (int i = 0; i < principalInfo.length; i++) {
-
-                    // here's the new PrivateCredentialPermission
-
-                    PrivateCredentialPermission newPcp =
-                        new PrivateCredentialPermission
-                                (pcp.getCredentialClass() +
-                                        " " +
-                                        principalInfo[i][0] +
-                                        " " +
-                                        "\"" + principalInfo[i][1] + "\"",
-                                "read");
-
-                    if (debug != null) {
-                        debug.println("adding SELF permission: " +
-                                        newPcp.toString());
-                    }
-
-                    perms.add(newPcp);
-                }
-            }
-        }
-        return true;
-    }
-
-    /**
-     * return the principal class/name pair in the 2D array.
-     * array[x][y]:     x corresponds to the array length.
-     *                  if (y == 0), it's the principal class.
-     *                  if (y == 1), it's the principal name.
-     */
-    private String[][] getPrincipalInfo(PrincipalEntry principal,
-                                        final CodeSource accCs) {
-
-        // there are 3 possibilities:
-        // 1) the entry's Principal class and name are not wildcarded
-        // 2) the entry's Principal name is wildcarded only
-        // 3) the entry's Principal class and name are wildcarded
-
-        if (!principal.getPrincipalClass().equals
-                (PrincipalEntry.WILDCARD_CLASS) &&
-            !principal.getPrincipalName().equals
-                (PrincipalEntry.WILDCARD_NAME)) {
-
-            // build a PrivateCredentialPermission for the principal
-            // from the Policy entry
-            String[][] info = new String[1][2];
-            info[0][0] = principal.getPrincipalClass();
-            info[0][1] = principal.getPrincipalName();
-            return info;
-
-        } else if (!principal.getPrincipalClass().equals
-                (PrincipalEntry.WILDCARD_CLASS) &&
-            principal.getPrincipalName().equals
-                (PrincipalEntry.WILDCARD_NAME)) {
-
-            // build a PrivateCredentialPermission for all
-            // the Subject's principals that are instances of principalClass
-
-            // the accCs is guaranteed to be a SubjectCodeSource
-            // because the earlier CodeSource.implies succeeded
-            SubjectCodeSource scs = (SubjectCodeSource)accCs;
-
-            Set<? extends Principal> principalSet = null;
-            try {
-                // principal.principalClass should extend Principal
-                // If it doesn't, we should stop here with a ClassCastException.
-                @SuppressWarnings("unchecked")
-                Class<? extends Principal> pClass = (Class<? extends Principal>)
-                        Class.forName(principal.getPrincipalClass(), false,
-                                      ClassLoader.getSystemClassLoader());
-                principalSet = scs.getSubject().getPrincipals(pClass);
-            } catch (Exception e) {
-                if (debug != null) {
-                    debug.println("problem finding Principal Class " +
-                                  "when expanding SELF permission: " +
-                                  e.toString());
-                }
-            }
-
-            if (principalSet == null) {
-                // error
-                return new String[0][0];
-            }
-
-            String[][] info = new String[principalSet.size()][2];
-
-            int i = 0;
-            for (Principal p : principalSet) {
-                info[i][0] = p.getClass().getName();
-                info[i][1] = p.getName();
-                i++;
-            }
-            return info;
-
-        } else {
-
-            // build a PrivateCredentialPermission for every
-            // one of the current Subject's principals
-
-            // the accCs is guaranteed to be a SubjectCodeSource
-            // because the earlier CodeSource.implies succeeded
-            SubjectCodeSource scs = (SubjectCodeSource)accCs;
-            Set<Principal> principalSet = scs.getSubject().getPrincipals();
-
-            String[][] info = new String[principalSet.size()][2];
-
-            int i = 0;
-            for (Principal p : principalSet) {
-                info[i][0] = p.getClass().getName();
-                info[i][1] = p.getName();
-                i++;
-            }
-            return info;
-        }
-    }
-
-    /*
-     * Returns the signer certificates from the list of certificates associated
-     * with the given code source.
-     *
-     * The signer certificates are those certificates that were used to verify
-     * signed code originating from the codesource location.
-     *
-     * This method assumes that in the given code source, each signer
-     * certificate is followed by its supporting certificate chain
-     * (which may be empty), and that the signer certificate and its
-     * supporting certificate chain are ordered bottom-to-top (i.e., with the
-     * signer certificate first and the (root) certificate authority last).
-     */
-    Certificate[] getSignerCertificates(CodeSource cs) {
-        Certificate[] certs = null;
-        if ((certs = cs.getCertificates()) == null) {
-            return null;
-        }
-        for (int i = 0; i < certs.length; i++) {
-            if (!(certs[i] instanceof X509Certificate))
-                return cs.getCertificates();
-        }
-
-        // Do we have to do anything?
-        int i = 0;
-        int count = 0;
-        while (i < certs.length) {
-            count++;
-            while (((i+1) < certs.length)
-                   && ((X509Certificate)certs[i]).getIssuerDN().equals(
-                           ((X509Certificate)certs[i+1]).getSubjectDN())) {
-                i++;
-            }
-            i++;
-        }
-        if (count == certs.length) {
-            // Done
-            return certs;
-        }
-
-        ArrayList<Certificate> userCertList = new ArrayList<>();
-        i = 0;
-        while (i < certs.length) {
-            userCertList.add(certs[i]);
-            while (((i+1) < certs.length)
-                   && ((X509Certificate)certs[i]).getIssuerDN().equals(
-                           ((X509Certificate)certs[i+1]).getSubjectDN())) {
-                i++;
-            }
-            i++;
-        }
-        Certificate[] userCerts = new Certificate[userCertList.size()];
-        userCertList.toArray(userCerts);
-        return userCerts;
-    }
-
-    private CodeSource canonicalizeCodebase(CodeSource cs,
-                                            boolean extractSignerCerts) {
-        CodeSource canonCs = cs;
-        if (cs.getLocation() != null &&
-            cs.getLocation().getProtocol().equalsIgnoreCase("file")) {
-            try {
-                String path = cs.getLocation().getFile().replace
-                                                        ('/',
-                                                        File.separatorChar);
-                URL csUrl = null;
-                if (path.endsWith("*")) {
-                    // remove trailing '*' because it causes canonicalization
-                    // to fail on win32
-                    path = path.substring(0, path.length()-1);
-                    boolean appendFileSep = false;
-                    if (path.endsWith(File.separator)) {
-                        appendFileSep = true;
-                    }
-                    if (path.equals("")) {
-                        path = System.getProperty("user.dir");
-                    }
-                    File f = new File(path);
-                    path = f.getCanonicalPath();
-                    StringBuilder sb = new StringBuilder(path);
-                    // reappend '*' to canonicalized filename (note that
-                    // canonicalization may have removed trailing file
-                    // separator, so we have to check for that, too)
-                    if (!path.endsWith(File.separator) &&
-                        (appendFileSep || f.isDirectory())) {
-                        sb.append(File.separatorChar);
-                    }
-                    sb.append('*');
-                    path = sb.toString();
-                } else {
-                    path = new File(path).getCanonicalPath();
-                }
-                csUrl = new File(path).toURL();
-
-                if (cs instanceof SubjectCodeSource) {
-                    SubjectCodeSource scs = (SubjectCodeSource)cs;
-                    if (extractSignerCerts) {
-                        canonCs = new SubjectCodeSource(scs.getSubject(),
-                                                        scs.getPrincipals(),
-                                                        csUrl,
-                                                        getSignerCertificates(scs));
-                    } else {
-                        canonCs = new SubjectCodeSource(scs.getSubject(),
-                                                        scs.getPrincipals(),
-                                                        csUrl,
-                                                        scs.getCertificates());
-                    }
-                } else {
-                    if (extractSignerCerts) {
-                        canonCs = new CodeSource(csUrl,
-                                                 getSignerCertificates(cs));
-                    } else {
-                        canonCs = new CodeSource(csUrl,
-                                                 cs.getCertificates());
-                    }
-                }
-            } catch (IOException ioe) {
-                // leave codesource as it is, unless we have to extract its
-                // signer certificates
-                if (extractSignerCerts) {
-                    if (!(cs instanceof SubjectCodeSource)) {
-                        canonCs = new CodeSource(cs.getLocation(),
-                                                getSignerCertificates(cs));
-                    } else {
-                        SubjectCodeSource scs = (SubjectCodeSource)cs;
-                        canonCs = new SubjectCodeSource(scs.getSubject(),
-                                                scs.getPrincipals(),
-                                                scs.getLocation(),
-                                                getSignerCertificates(scs));
-                    }
-                }
-            }
-        } else {
-            if (extractSignerCerts) {
-                if (!(cs instanceof SubjectCodeSource)) {
-                    canonCs = new CodeSource(cs.getLocation(),
-                                        getSignerCertificates(cs));
-                } else {
-                    SubjectCodeSource scs = (SubjectCodeSource)cs;
-                    canonCs = new SubjectCodeSource(scs.getSubject(),
-                                        scs.getPrincipals(),
-                                        scs.getLocation(),
-                                        getSignerCertificates(scs));
-                }
-            }
-        }
-        return canonCs;
-    }
-
-    /**
-     * Each entry in the policy configuration file is represented by a
-     * PolicyEntry object.  <p>
-     *
-     * A PolicyEntry is a (CodeSource,Permission) pair.  The
-     * CodeSource contains the (URL, PublicKey) that together identify
-     * where the Java bytecodes come from and who (if anyone) signed
-     * them.  The URL could refer to localhost.  The URL could also be
-     * null, meaning that this policy entry is given to all comers, as
-     * long as they match the signer field.  The signer could be null,
-     * meaning the code is not signed. <p>
-     *
-     * The Permission contains the (Type, Name, Action) triplet. <p>
-     *
-     * For now, the Policy object retrieves the public key from the
-     * X.509 certificate on disk that corresponds to the signedBy
-     * alias specified in the Policy config file.  For reasons of
-     * efficiency, the Policy object keeps a hashtable of certs already
-     * read in.  This could be replaced by a secure internal key
-     * store.
-     *
-     * <p>
-     * For example, the entry
-     * <pre>
-     *          permission java.io.File "/tmp", "read,write",
-     *          signedBy "Duke";
-     * </pre>
-     * is represented internally
-     * <pre>
-     *
-     * FilePermission f = new FilePermission("/tmp", "read,write");
-     * PublicKey p = publickeys.get("Duke");
-     * URL u = InetAddress.getLocalHost();
-     * CodeBase c = new CodeBase( p, u );
-     * pe = new PolicyEntry(f, c);
-     * </pre>
-     *
-     * @author Marianne Mueller
-     * @author Roland Schemers
-     * @see java.security.CodeSource
-     * @see java.security.Policy
-     * @see java.security.Permissions
-     * @see java.security.ProtectionDomain
-     */
-    private static class PolicyEntry {
-
-        CodeSource codesource;
-        Vector<Permission> permissions;
-
-        /**
-         * Given a Permission and a CodeSource, create a policy entry.
-         *
-         * XXX Decide if/how to add validity fields and "purpose" fields to
-         * XXX policy entries
-         *
-         * @param cs the CodeSource, which encapsulates the URL and the public
-         *        key attributes from the policy config file. Validity checks
-         *        are performed on the public key before PolicyEntry is called.
-         *
-         */
-        PolicyEntry(CodeSource cs) {
-            this.codesource = cs;
-            this.permissions = new Vector<Permission>();
-        }
-
-        /**
-         * add a Permission object to this entry.
-         */
-        void add(Permission p) {
-            permissions.addElement(p);
-        }
-
-        /**
-         * Return the CodeSource for this policy entry
-         */
-        CodeSource getCodeSource() {
-            return this.codesource;
-        }
-
-        @Override
-        public String toString(){
-            StringBuilder sb = new StringBuilder();
-            sb.append(rb.getString("LPARAM"));
-            sb.append(getCodeSource());
-            sb.append("\n");
-            for (int j = 0; j < permissions.size(); j++) {
-                Permission p = permissions.elementAt(j);
-                sb.append(rb.getString("SPACE"));
-                sb.append(rb.getString("SPACE"));
-                sb.append(p);
-                sb.append(rb.getString("NEWLINE"));
-            }
-            sb.append(rb.getString("RPARAM"));
-            sb.append(rb.getString("NEWLINE"));
-            return sb.toString();
-        }
-
-    }
-}
-
-@SuppressWarnings("deprecation")
-class PolicyPermissions extends PermissionCollection {
-
-    private static final long serialVersionUID = -1954188373270545523L;
-
-    private CodeSource codesource;
-    private Permissions perms;
-    private AuthPolicyFile policy;
-    private boolean notInit; // have we pulled in the policy permissions yet?
-    private Vector<Permission> additionalPerms;
-
-    PolicyPermissions(AuthPolicyFile policy,
-                      CodeSource codesource)
-    {
-        this.codesource = codesource;
-        this.policy = policy;
-        this.perms = null;
-        this.notInit = true;
-        this.additionalPerms = null;
-    }
-
-    @Override
-    public void add(Permission permission) {
-        if (isReadOnly())
-            throw new SecurityException
-            (AuthPolicyFile.rb.getString
-            ("attempt.to.add.a.Permission.to.a.readonly.PermissionCollection"));
-
-        if (perms == null) {
-            if (additionalPerms == null) {
-                additionalPerms = new Vector<Permission>();
-            }
-            additionalPerms.add(permission);
-        } else {
-            perms.add(permission);
-        }
-    }
-
-    private synchronized void init() {
-        if (notInit) {
-            if (perms == null) {
-                perms = new Permissions();
-            }
-            if (additionalPerms != null) {
-                Enumeration<Permission> e = additionalPerms.elements();
-                while (e.hasMoreElements()) {
-                    perms.add(e.nextElement());
-                }
-                additionalPerms = null;
-            }
-            policy.getPermissions(perms, codesource);
-            notInit = false;
-        }
-    }
-
-    @Override
-    public boolean implies(Permission permission) {
-        if (notInit) {
-            init();
-        }
-        return perms.implies(permission);
-    }
-
-    @Override
-    public Enumeration<Permission> elements() {
-        if (notInit) {
-            init();
-        }
-        return perms.elements();
-    }
-
-    @Override
-    public String toString() {
-        if (notInit) {
-            init();
-        }
-        return perms.toString();
-    }
-}
--- a/src/java.base/share/classes/sun/security/provider/PolicyFile.java	Thu Mar 08 11:44:43 2018 +0800
+++ b/src/java.base/share/classes/sun/security/provider/PolicyFile.java	Thu Mar 08 12:20:26 2018 +0800
@@ -51,13 +51,6 @@
  * This class represents a default Policy implementation for the
  * "JavaPolicy" type.
  *
- * Note:
- * For backward compatibility with JAAS 1.0 it loads
- * both java.auth.policy and java.policy. However, it
- * is recommended that java.auth.policy not be used
- * and that java.policy contain all grant entries including
- * those that contain principal-based entries.
- *
  * <p> This object stores the policy for the entire Java runtime,
  * and is the amalgamation of multiple static policy
  * configurations that resides in files.
@@ -75,17 +68,13 @@
  *   are needed in order for the runtime to operate correctly.
  * <li>
  *   Loop through the <code>java.security.Security</code> properties,
- *   <i>policy.url.1</i>, <i>policy.url.2</i>, ...,
- *   <i>policy.url.X</i>" and
- *   <i>auth.policy.url.1</i>, <i>auth.policy.url.2</i>, ...,
- *   <i>auth.policy.url.X</i>".  These properties are set
+ *   and <i>policy.url.1</i>, <i>policy.url.2</i>, ...,
+ *   <i>policy.url.X</i>".  These properties are set
  *   in the Java security properties file, which is located in the file named
  *   &lt;JAVA_HOME&gt;/conf/security/java.security.
  *   Each property value specifies a <code>URL</code> pointing to a
  *   policy file to be loaded.  Read in and load each policy.
  *
- *   <i>auth.policy.url</i> is supported only for backward compatibility.
- *
  *   If none of these could be loaded, use a builtin static policy
  *   equivalent to the conf/security/java.policy file.
  *
@@ -98,21 +87,7 @@
  *   <i>policy.allowSystemProperty</i> is set to <i>true</i>),
  *   also load that policy.
  *
- * <li>
- *   The <code>java.lang.System</code> property
- *   <i>java.security.auth.policy</i> may also be set to a
- *   <code>URL</code> pointing to another policy file
- *   (which is the case when a user uses the -D switch at runtime).
- *   If this property is defined, and its use is allowed by the
- *   security property file (the Security property,
- *   <i>policy.allowSystemProperty</i> is set to <i>true</i>),
- *   also load that policy.
- *
- *   <i>java.security.auth.policy</i> is supported only for backward
- *   compatibility.
- *
- *   If the <i>java.security.policy</i> or
- *   <i>java.security.auth.policy</i> property is defined using
+ *   If the <i>java.security.policy</i> property is defined using
  *   "==" (rather than "="), then load the specified policy file and ignore
  *   all other configured policies. Note, that the default.policy file is
  *   also loaded, as specified in the first step of the algorithm above.
@@ -269,8 +244,6 @@
                         "javax.security.auth.x500.X500Principal";
     private static final String POLICY = "java.security.policy";
     private static final String POLICY_URL = "policy.url.";
-    private static final String AUTH_POLICY = "java.security.auth.policy";
-    private static final String AUTH_POLICY_URL = "auth.policy.url.";
 
     private static final int DEFAULT_CACHE_SIZE = 1;
 
@@ -411,14 +384,6 @@
             /**
              * Caller did not specify URL via Policy.getInstance.
              * Read from URLs listed in the java.security properties file.
-             *
-             * We call initPolicyFile with POLICY, POLICY_URL and then
-             * call it with AUTH_POLICY and AUTH_POLICY_URL.
-             * So first we will process the JAVA standard policy
-             * and then process the JAVA AUTH Policy.
-             * This is for backward compatibility as well as to handle
-             * cases where the user has a single unified policyfile
-             * with both java policy entries and auth entries
              */
 
             boolean loaded_one = initPolicyFile(POLICY, POLICY_URL, newInfo);
@@ -428,8 +393,6 @@
                 // use static policy if all else fails
                 initStaticPolicy(newInfo);
             }
-
-            initPolicyFile(AUTH_POLICY, AUTH_POLICY_URL, newInfo);
         }
     }
 
--- a/src/java.base/share/classes/sun/security/util/Resources.java	Thu Mar 08 11:44:43 2018 +0800
+++ b/src/java.base/share/classes/sun/security/util/Resources.java	Thu Mar 08 12:20:26 2018 +0800
@@ -150,11 +150,6 @@
         // sun.security.pkcs11.SunPKCS11
         {"PKCS11.Token.providerName.Password.",
                 "PKCS11 Token [{0}] Password: "},
-
-        /* --- DEPRECATED --- */
-        // javax.security.auth.Policy
-        {"unable.to.instantiate.Subject.based.policy",
-                "unable to instantiate Subject-based policy"}
     };