diff --git a/lucene/analysis/common/src/test/org/apache/lucene/analysis/util/TestFilesystemResourceLoader.java b/lucene/analysis/common/src/test/org/apache/lucene/analysis/util/TestFilesystemResourceLoader.java
index 36c7eaca8e6..3e68868bd4b 100644
--- a/lucene/analysis/common/src/test/org/apache/lucene/analysis/util/TestFilesystemResourceLoader.java
+++ b/lucene/analysis/common/src/test/org/apache/lucene/analysis/util/TestFilesystemResourceLoader.java
@@ -31,7 +31,7 @@ public class TestFilesystemResourceLoader extends LuceneTestCase {
private void assertNotFound(ResourceLoader rl) throws Exception {
try {
- IOUtils.closeWhileHandlingException(rl.openResource("/this-directory-really-really-really-should-not-exist/foo/bar.txt"));
+ IOUtils.closeWhileHandlingException(rl.openResource("this-directory-really-really-really-should-not-exist/foo/bar.txt"));
fail("The resource does not exist, should fail!");
} catch (IOException ioe) {
// pass
diff --git a/lucene/analysis/uima/src/java/org/apache/lucene/analysis/uima/ae/BasicAEProvider.java b/lucene/analysis/uima/src/java/org/apache/lucene/analysis/uima/ae/BasicAEProvider.java
index 15d90ab3ab4..300201d7b4d 100644
--- a/lucene/analysis/uima/src/java/org/apache/lucene/analysis/uima/ae/BasicAEProvider.java
+++ b/lucene/analysis/uima/src/java/org/apache/lucene/analysis/uima/ae/BasicAEProvider.java
@@ -80,7 +80,7 @@ public class BasicAEProvider implements AEProvider {
private XMLInputSource getInputSource() throws IOException {
try {
return new XMLInputSource(aePath);
- } catch (IOException e) {
+ } catch (Exception e) {
return new XMLInputSource(getClass().getResource(aePath));
}
}
diff --git a/lucene/common-build.xml b/lucene/common-build.xml
index 3585defcda3..a11c2c6f7aa 100644
--- a/lucene/common-build.xml
+++ b/lucene/common-build.xml
@@ -125,6 +125,7 @@
+
@@ -1012,11 +1013,12 @@
+
-
+
@@ -2501,7 +2503,7 @@ The following arguments can be provided to ant to alter its behaviour and target
-
+
>", "read,execute";
+ permission java.io.FilePermission "${junit4.childvm.cwd}", "read,execute";
+ permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,execute,write,delete";
+ permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,execute,write,delete";
+ permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,execute,write,delete";
+ permission java.io.FilePermission "${clover.db.dir}${/}-", "read,execute,write,delete";
+
+ // all possibilities of accepting/binding connections on localhost with ports >=1024:
+ permission java.net.SocketPermission "localhost:1024-", "accept,listen";
+ permission java.net.SocketPermission "127.0.0.1:1024-", "accept,listen";
+ permission java.net.SocketPermission "[::1]:1024-", "accept,listen";
+
+ // This is a special case, because the network config of the ASF Jenkins server is broken,
+ // see: http://freebsd.1045724.n5.nabble.com/jail-external-and-localhost-distinction-td3967320.html
+ permission java.net.SocketPermission "lucene.zones.apache.org:1024-", "accept,listen";
+
+ // Allow connecting to the internet anywhere
+ permission java.net.SocketPermission "*", "connect,resolve";
+
+ // Basic permissions needed for Lucene to work:
+ permission java.util.PropertyPermission "*", "read,write";
+ permission java.lang.reflect.ReflectPermission "*";
+ permission java.lang.RuntimePermission "*";
+
+ // These two *have* to be spelled out a separate
+ permission java.lang.management.ManagementPermission "control";
+ permission java.lang.management.ManagementPermission "monitor";
+
+ // Solr needs those:
+ permission java.net.NetPermission "*";
+ permission java.sql.SQLPermission "*";
+ permission java.util.logging.LoggingPermission "control";
+ permission javax.management.MBeanPermission "*", "*";
+ permission javax.management.MBeanServerPermission "*";
+ permission javax.management.MBeanTrustPermission "*";
+ permission javax.security.auth.AuthPermission "*";
+ permission javax.security.auth.PrivateCredentialPermission "org.apache.hadoop.security.Credentials * \"*\"", "read";
+ permission java.security.SecurityPermission "putProviderProperty.SaslPlainServer";
+ permission java.security.SecurityPermission "insertProvider.SaslPlainServer";
+ permission javax.xml.bind.JAXBPermission "setDatatypeConverter";
+
+ // TIKA uses BouncyCastle and that registers new provider for PDF parsing + MSOffice parsing. Maybe report as bug!
+ permission java.security.SecurityPermission "putProviderProperty.BC";
+ permission java.security.SecurityPermission "insertProvider.BC";
+
+ // Needed for some things in DNS caching in the JVM
+ permission java.security.SecurityPermission "getProperty.networkaddress.cache.ttl";
+ permission java.security.SecurityPermission "getProperty.networkaddress.cache.negative.ttl";
+
+ // SSL related properties for Solr tests
+ permission java.security.SecurityPermission "getProperty.ssl.*";
+
+ // SASL/Kerberos related properties for Solr tests
+ permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KerberosTicket * \"*\"", "read";
+
+ // may only be necessary with Java 7?
+ permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KeyTab * \"*\"", "read";
+ permission javax.security.auth.PrivateCredentialPermission "sun.security.jgss.krb5.Krb5Util$KeysFromKeyTab * \"*\"", "read";
+
+ permission javax.security.auth.kerberos.ServicePermission "krbtgt/EXAMPLE.COM@EXAMPLE.COM", "initiate";
+ permission javax.security.auth.kerberos.ServicePermission "zookeeper/127.0.0.1@EXAMPLE.COM", "initiate";
+ permission javax.security.auth.kerberos.ServicePermission "zookeeper/127.0.0.1@EXAMPLE.COM", "accept";
+};
diff --git a/lucene/tools/junit4/tests.policy b/lucene/tools/junit4/tests.policy
index c5968999b35..9ef364db3b5 100644
--- a/lucene/tools/junit4/tests.policy
+++ b/lucene/tools/junit4/tests.policy
@@ -15,76 +15,71 @@
* limitations under the License.
*/
-// Policy file to prevent tests from writing outside the test sandbox directory
-// (must be given as a sysprop: tests.sandbox.dir)
-// This policy also disallows stuff like listening on network ports of interfaces
-// different than 127.0.0.1.
-
-// PLEASE NOTE: You may need to enable other permissions when new tests are added,
-// everything not allowed here is forbidden!
+// Policy file for lucene tests. Please keep minimal and avoid wildcards.
grant {
- // permissions for file access, write access only to sandbox:
- permission java.io.FilePermission "<>", "read,execute";
- permission java.io.FilePermission "${junit4.childvm.cwd}", "read,execute";
- permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,execute,write,delete";
- permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,execute,write,delete";
- permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,execute,write,delete";
- permission java.io.FilePermission "${clover.db.dir}${/}-", "read,execute,write,delete";
+ // contain read access to only what we need:
+ // 3rd party jar resources (where symlinks are not supported), test-files/ resources
+ permission java.io.FilePermission "${common.dir}${/}-", "read";
+ // 3rd party jar resources (where symlinks are supported)
+ permission java.io.FilePermission "${user.home}${/}.ivy2${/}cache${/}-", "read";
+ // system jar resources, and let TestIndexWriterOnJRECrash fork its jvm
+ permission java.io.FilePermission "${java.home}${/}-", "read,execute";
+ // should be enclosed within common.dir, but just in case:
+ permission java.io.FilePermission "${junit4.childvm.cwd}", "read";
+
+ // write only to sandbox
+ permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,write,delete";
+ permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,write,delete";
+ permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete";
+ permission java.io.FilePermission "${clover.db.dir}${/}-", "read,write,delete";
+
+ // needed by gson serialization of junit4 runner: TODO clean that up
+ permission java.lang.RuntimePermission "accessDeclaredMembers";
+ permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+ // needed by junit4 runner to capture sysout/syserr:
+ permission java.lang.RuntimePermission "setIO";
+ // needed by randomized runner to catch failures from other threads:
+ permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
+ // needed by randomized runner getTopThreadGroup:
+ permission java.lang.RuntimePermission "modifyThreadGroup";
+ // needed by tests e.g. shutting down executors:
+ permission java.lang.RuntimePermission "modifyThread";
+ // needed for tons of test hacks etc
+ permission java.lang.RuntimePermission "getStackTrace";
+ // needed for mock filesystems in tests
+ permission java.lang.RuntimePermission "fileSystemProvider";
+ // needed for mock filesystems in tests (to capture implCloseChannel)
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
+ // needed by junit nested compat tests (due to static fields reflection), TODO clean these up:
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.util.calendar";
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.util.locale";
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.fs";
+ // needed for test of IOUtils.spins (maybe it can be avoided)
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
+ // analyzers/morfologik: needed for a horrible context classloader hack for solr in morfologikfilter: nuke this
+ permission java.lang.RuntimePermission "setContextClassLoader";
+ // analyzers/uima: needed by UIMA message localization... (?)
+ permission java.lang.RuntimePermission "createSecurityManager";
+ permission java.lang.RuntimePermission "createClassLoader";
+ // needed to test unmap hack on platforms that support it
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
- // all possibilities of accepting/binding connections on localhost with ports >=1024:
- permission java.net.SocketPermission "localhost:1024-", "accept,listen";
- permission java.net.SocketPermission "127.0.0.1:1024-", "accept,listen";
- permission java.net.SocketPermission "[::1]:1024-", "accept,listen";
+ // read access to all system properties:
+ // needed by junit4 BootstrapEvent (it calls System.getProperties, used by ant xml reporting?)
+ permission java.util.PropertyPermission "*", "read,write";
+
+ // replicator: jetty tests require some network permissions:
+ // all possibilities of accepting/binding/connecting on localhost with ports >= 1024:
+ permission java.net.SocketPermission "localhost:1024-", "accept,listen,connect,resolve";
+ permission java.net.SocketPermission "127.0.0.1:1024-", "accept,listen,connect,resolve";
+ permission java.net.SocketPermission "[::1]:1024-", "accept,listen,connect,resolve";
// This is a special case, because the network config of the ASF Jenkins server is broken,
// see: http://freebsd.1045724.n5.nabble.com/jail-external-and-localhost-distinction-td3967320.html
- permission java.net.SocketPermission "lucene.zones.apache.org:1024-", "accept,listen";
-
- // Allow connecting to the internet anywhere
- permission java.net.SocketPermission "*", "connect,resolve";
-
- // Basic permissions needed for Lucene to work:
- permission java.util.PropertyPermission "*", "read,write";
- permission java.lang.reflect.ReflectPermission "*";
- permission java.lang.RuntimePermission "*";
+ permission java.net.SocketPermission "lucene.zones.apache.org:1024-", "accept,listen,connect,resolve";
- // These two *have* to be spelled out a separate
- permission java.lang.management.ManagementPermission "control";
- permission java.lang.management.ManagementPermission "monitor";
-
- // Solr needs those:
- permission java.net.NetPermission "*";
- permission java.sql.SQLPermission "*";
- permission java.util.logging.LoggingPermission "control";
- permission javax.management.MBeanPermission "*", "*";
- permission javax.management.MBeanServerPermission "*";
- permission javax.management.MBeanTrustPermission "*";
- permission javax.security.auth.AuthPermission "*";
- permission javax.security.auth.PrivateCredentialPermission "org.apache.hadoop.security.Credentials * \"*\"", "read";
- permission java.security.SecurityPermission "putProviderProperty.SaslPlainServer";
- permission java.security.SecurityPermission "insertProvider.SaslPlainServer";
- permission javax.xml.bind.JAXBPermission "setDatatypeConverter";
-
- // TIKA uses BouncyCastle and that registers new provider for PDF parsing + MSOffice parsing. Maybe report as bug!
- permission java.security.SecurityPermission "putProviderProperty.BC";
- permission java.security.SecurityPermission "insertProvider.BC";
-
- // Needed for some things in DNS caching in the JVM
- permission java.security.SecurityPermission "getProperty.networkaddress.cache.ttl";
- permission java.security.SecurityPermission "getProperty.networkaddress.cache.negative.ttl";
-
- // SSL related properties for Solr tests
- permission java.security.SecurityPermission "getProperty.ssl.*";
-
- // SASL/Kerberos related properties for Solr tests
- permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KerberosTicket * \"*\"", "read";
-
- // may only be necessary with Java 7?
- permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KeyTab * \"*\"", "read";
- permission javax.security.auth.PrivateCredentialPermission "sun.security.jgss.krb5.Krb5Util$KeysFromKeyTab * \"*\"", "read";
-
- permission javax.security.auth.kerberos.ServicePermission "krbtgt/EXAMPLE.COM@EXAMPLE.COM", "initiate";
- permission javax.security.auth.kerberos.ServicePermission "zookeeper/127.0.0.1@EXAMPLE.COM", "initiate";
- permission javax.security.auth.kerberos.ServicePermission "zookeeper/127.0.0.1@EXAMPLE.COM", "accept";
+ // SSL related properties for jetty
+ permission java.security.SecurityPermission "getProperty.ssl.KeyManagerFactory.algorithm";
+ permission java.security.SecurityPermission "getProperty.ssl.TrustManagerFactory.algorithm";
};
diff --git a/solr/common-build.xml b/solr/common-build.xml
index abe8fed401b..9d0735fc62f 100644
--- a/solr/common-build.xml
+++ b/solr/common-build.xml
@@ -38,6 +38,7 @@
+