RFR 8064331: JavaSecurityAccess.doIntersectionPrivilege() drops the information about the domain combiner of the stack ACC

Jaroslav Bachorik jaroslav.bachorik at oracle.com
Tue Feb 3 09:42:05 UTC 2015

Please, review the following change to j.s.ProtectionDomain

Issue : https://bugs.openjdk.java.net/browse/JDK-8064331
Webrev: http://cr.openjdk.java.net/~jbachorik/8064331/webrev.01

This issue was reported against the JMX functionality. When a user tries 
to do the following
AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
the subject is always null even though it should contain the currently 
authenticated Subject.

The reason for this is the combination of the facts that JMX is using 
JavaSecurityAccess.doIntersectionPrivilege(actin, stackACC, savedACC) to 
invoke a code in the combined access control context and this method 
just drops the information about the domain combiner of the stack ACC.

In turn, Subject.getSubject(acc) relies on a correct domain container 
used in the current ACC and fails.

The fix is to make the 
JavaSecurityAccess.doIntersectionPrivilege(action, stackACC, savedACC) 
to pay attention to the domain combiner of the stackACC.



More information about the security-dev mailing list