RFR 8064331: JavaSecurityAccess.doIntersectionPrivilege() drops the information about the domain combiner of the stack ACC

Sean Mullan sean.mullan at oracle.com
Thu Feb 5 22:19:45 UTC 2015


The copyright on the test should be at the top. Otherwise, this fix
looks good to me.

--Sean

On 02/03/2015 04:42 AM, Jaroslav Bachorik wrote:
> Please, review the following change to j.s.ProtectionDomain
> 
> Issue : https://bugs.openjdk.java.net/browse/JDK-8064331
> Webrev: http://cr.openjdk.java.net/~jbachorik/8064331/webrev.01
> 
> This issue was reported against the JMX functionality. When a user tries
> to do the following
> ```
> AccessControlContext acc = AccessController.getContext();
> Subject subject = Subject.getSubject(acc);
> ```
> the subject is always null even though it should contain the currently
> authenticated Subject.
> 
> The reason for this is the combination of the facts that JMX is using
> JavaSecurityAccess.doIntersectionPrivilege(actin, stackACC, savedACC) to
> invoke a code in the combined access control context and this method
> just drops the information about the domain combiner of the stack ACC.
> 
> In turn, Subject.getSubject(acc) relies on a correct domain container
> used in the current ACC and fails.
> 
> The fix is to make the
> JavaSecurityAccess.doIntersectionPrivilege(action, stackACC, savedACC)
> to pay attention to the domain combiner of the stackACC.
> 
> Thanks,
> 
> -JB-


More information about the security-dev mailing list