RFR 8064331: JavaSecurityAccess.doIntersectionPrivilege() drops the information about the domain combiner of the stack ACC
Jaroslav Bachorik
jaroslav.bachorik at oracle.com
Tue Feb 3 09:42:05 UTC 2015
Please, review the following change to j.s.ProtectionDomain
Issue : https://bugs.openjdk.java.net/browse/JDK-8064331
Webrev: http://cr.openjdk.java.net/~jbachorik/8064331/webrev.01
This issue was reported against the JMX functionality. When a user tries
to do the following
```
AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
```
the subject is always null even though it should contain the currently
authenticated Subject.
The reason for this is the combination of the facts that JMX is using
JavaSecurityAccess.doIntersectionPrivilege(actin, stackACC, savedACC) to
invoke a code in the combined access control context and this method
just drops the information about the domain combiner of the stack ACC.
In turn, Subject.getSubject(acc) relies on a correct domain container
used in the current ACC and fails.
The fix is to make the
JavaSecurityAccess.doIntersectionPrivilege(action, stackACC, savedACC)
to pay attention to the domain combiner of the stackACC.
Thanks,
-JB-
More information about the security-dev
mailing list