RFR: 8267485: Remove the dependency on SecurityManager in JceSecurityManager.java [v2]
Bradford Wetmore
wetmore at openjdk.java.net
Wed Jun 2 22:08:38 UTC 2021
On Wed, 2 Jun 2021 18:18:46 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:
>> Bradford Wetmore has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains six commits:
>>
>> - Merge branch 'master' into JDK-8267485
>> - Merge branch 'master' into JDK-8267485
>> - Replace missing annotation
>> - Merge branch 'master' into JDK-8267485
>> - Updated copyright date.
>> - 8267485: Remove the dependency on SecurityManager in JceSecurityManager.java
>
> src/java.base/share/classes/javax/crypto/JceSecurityManager.java line 107:
>
>> 105: List<StackFrame> stack = StackWalker.getInstance(
>> 106: StackWalker.Option.RETAIN_CLASS_REFERENCE)
>> 107: .walk((s) -> s.collect(Collectors.toList()));
>
> StackWalker.getInstance(StackWalker.Option.RETAIN_CLASS_REFERENCE) will require a permission check.
> As long as the SecurityManager is still functional, doesn't this mean that creating the StackWalker should be performed in a doPrivileged? If so maybe it should be done in a (possibly static) initializer. Or is it intentional to check that the caller (and the whole calling stack) posses the `RuntimePermission("getStackWalkerWithClassReference")`?
Good catch, thanks.
-------------
PR: https://git.openjdk.java.net/jdk/pull/4150
More information about the security-dev
mailing list