Subject.getPrincipals(), getPublicCredentials(), getPrivateCredentials() are inherently unsafe
Roman Leventov
leventov.ru at gmail.com
Thu Jan 2 15:47:26 UTC 2020
I already filed a bug (ID 9063182), but was advised to write to this list
instead.
I don't have an artificial test case, but it should be straightforward to
write one.
On Thu, 2 Jan 2020 at 18:01, Sean Mullan <sean.mullan at oracle.com> wrote:
> On 1/1/20 1:25 PM, Roman Leventov wrote:
> > If somebody tries to iterate these collections concurrently with
> > modification in another thread, the consequences are undefined.
>
> Right, the javadoc is not clear on that.
>
> > A possible fix is to use CopyOnWriteArrayList as SecureSet.elements
> > field instead of LinkedList.
>
> A workaround is to synchronize on the returned collections when iterating.
>
> Would you please consider filing a bug [1]? If you have a test case,
> please also attach it to the bug report.
>
> Thanks,
> Sean
>
> [1] https://bugreport.java.com/bugreport/
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/security-dev/attachments/20200102/f59b9e30/attachment.htm>
More information about the security-dev
mailing list