Merge pull request #25566 from dmatej/loginconfig

The java.security.auth.login.config system property must be an URL

Author: arjantijms

appserver/appclient/client/acc-standalone/src/main/java/org/glassfish/appclient/client/acc/agent/CLIBootstrap.java

@@ -20,6 +20,8 @@
 import java.io.File;
 import java.io.IOException;
 import java.io.PrintStream;
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.List;
@@ -292,7 +294,7 @@ private void addProperties(final StringBuilder command) {
         command.append(' ').append("-D").append(INSTALL_ROOT.getSystemPropertyName()).append('=').append(quote(gfInfo.home().getAbsolutePath()));
         command.append(' ').append("-Dorg.glassfish.gmbal.no.multipleUpperBoundsException=true");
         command.append(' ').append(SECURITY_POLICY_PROPERTY_EXPR).append(quote(gfInfo.securityPolicy().getAbsolutePath()));
-        command.append(' ').append(SECURITY_AUTH_LOGIN_CONFIG_PROPERTY_EXPR).append(quote(gfInfo.loginConfig().getAbsolutePath()));
+        command.append(' ').append(SECURITY_AUTH_LOGIN_CONFIG_PROPERTY_EXPR).append(quote(gfInfo.loginConfig().toExternalForm()));
     }
 
     /**
@@ -910,8 +912,12 @@ File securityPolicy() {
             return new File(libAppclient, "client.policy");
         }
 
-        File loginConfig() {
-            return new File(libAppclient, "appclientlogin.conf");
+        URL loginConfig() {
+            try {
+                return new File(libAppclient, "appclientlogin.conf").toURI().toURL();
+            } catch (MalformedURLException e) {
+                throw new IllegalStateException("Could not create URL for appclientlogin.conf", e);
+            }
         }
     }
 

appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/client/acc/AppClientContainerSecurityHelper.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 Contributors to the Eclipse Foundation.
+ * Copyright (c) 2024, 2025 Contributors to the Eclipse Foundation.
  * Copyright (c) 1997, 2018 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -27,7 +27,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.net.Authenticator;
-import java.net.URI;
+import java.nio.file.Path;
 import java.util.List;
 import java.util.Properties;
 import java.util.logging.Logger;
@@ -87,28 +87,21 @@ void init(final TargetServer[] targetServers, final List<MessageSecurityConfig>
     }
 
     private void initLoginConfig() throws IOException {
-        /*
-         * During Java Web Start launches, the appclientlogin.conf content is passed as a property. Store that content (if
-         * present) into a local temporary file and use that during this app client launch.
-         */
+
+        // During Java Web Start launches, the appclientlogin.conf content is passed as a property.
+        // Store that content (if present) into a local temporary file and use that during this app client launch.
         final String appclientloginConfContent = System.getProperty("appclient.login.conf.content");
-        URI configURI;
+        final File configFile;
         if (appclientloginConfContent == null) {
-            configURI = new File(System.getProperty(INSTALL_ROOT.getSystemPropertyName())).toURI()
-                .resolve("lib/appclient/appclientlogin.conf");
+            configFile = new File(System.getProperty(INSTALL_ROOT.getSystemPropertyName())).toPath()
+                .resolve(Path.of("lib", "appclient", "appclientlogin.conf")).toFile();
         } else {
-            configURI = writeTextToTempFile(appclientloginConfContent, "appclientlogin", ".conf", false).toURI();
+            configFile = writeTextToTempFile(appclientloginConfContent, "appclientlogin", ".conf", false);
         }
 
-        final File configFile = new File(configURI);
-
-        /*
-         * Ugly, but necessary. The Java com.sun.security.auth.login.ConfigFile class expects the
-         * java.security.auth.login.config property value to be a URL, but one with NO encoding. That is, if the path to the
-         * config file contains a blank then ConfigFile class expects the URL to contain a blank, not %20 for example. So, we
-         * need to use the deprecated File.toURL() method to create such a URL.
-         */
-        System.setProperty("java.security.auth.login.config", configFile.toURI().toURL().toString());
+        // The Java com.sun.security.auth.login.ConfigFile class expects the
+        // java.security.auth.login.config property value to be a URL
+        System.setProperty("java.security.auth.login.config", configFile.toURI().toURL().toExternalForm());
     }
 
     /**

nucleus/security/core/src/main/java/com/sun/enterprise/security/SecurityLifecycle.java

@@ -1,4 +1,5 @@
 /*
+ * Copyright (c) 2025 Contributors to the Eclipse Foundation.
  * Copyright (c) 1997, 2021 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -91,7 +92,7 @@ public SecurityLifecycle() {
             if (Util.isEmbeddedServer()) {
                 // If the user-defined login.conf/server.policy are set as system properties, then they are given priority
                 if (System.getProperty(SYS_PROP_LOGIN_CONF) == null) {
-                    System.setProperty(SYS_PROP_LOGIN_CONF, writeConfigFileToTempDir("login.conf").getAbsolutePath());
+                    System.setProperty(SYS_PROP_LOGIN_CONF, writeConfigFileToTempDir("login.conf").toURI().toURL().toExternalForm());
                 }
                 if (System.getProperty(SYS_PROP_JAVA_SEC_POLICY) == null) {
                     System.setProperty(SYS_PROP_JAVA_SEC_POLICY, writeConfigFileToTempDir("server.policy").getAbsolutePath());