RFR: 8296244: Alternate implementation of user-based authorization Subject APIs that doesn’t depend on Security Manager APIs [v3]
Sean Mullan
mullan at openjdk.org
Mon Mar 4 19:59:46 UTC 2024
On Mon, 4 Mar 2024 19:51:38 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> src/java.management/share/classes/com/sun/jmx/remote/security/MBeanServerFileAccessController.java line 309:
>>
>>> 307: final Subject s;
>>> 308: if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
>>> 309: s = Subject.current();
>>
>> We may not want to call `Subject.current()` here, as this may imply that we will support this functionality even if an SM is not enabled.
>
> I was not exactly sure if we will support this functionality. The class name has `AccessControler` and the method names use `checkAccess`, but they actually do not always depend on security manager.
I think we need @kevinjwalls or @dfuch to help advise on this.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/17472#discussion_r1511721920
More information about the core-libs-dev
mailing list