RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2]

Sean Mullan mullan at openjdk.java.net
Wed Oct 27 13:48:27 UTC 2021

On Sat, 23 Oct 2021 00:40:39 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> New `Subject` APIs `current()` and `callAs()` are created to be replacements of `getSubject()` and `doAs()` since the latter two methods are now deprecated for removal.
>> In this implementation, by default, `current()` returns the same value as `getSubject(AccessController.getCurrent())` and `callAs()` is implemented based on `doAs()`. This behavior is subject to change in the future once `SecurityManager` is removed.
>> User can experiment a possible future mechanism by setting the system property `jdk.security.auth.subject.useTL` to `true`, where the `callAs()` method stores the subject into a `ThreadLocal` object and the `current()` method returns it (Note: this mechanism does not work with principal-based permissions).
>> Inside JDK, we’ve switched from `getSubject()` to `current()` in JGSS and user can start switching to `callAs()` in their applications. Users can also switch to `current()` but please note that if you used to call `getSubject(acc)` in a `doPrivileged` call you might need to try calling `current()` in a `doPrivilegedWithCombiner` call to see if the `AccessControlContext` inside the call inherits the subject from the outer one.
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>   renames

src/java.base/share/classes/javax/security/auth/Subject.java line 296:

> 294:      *       which is equivalent to
> 295:      *       {@code Subject.getSubject(AccessController.getContext())}
> 296:      *       by default in this implementation.

I don't think you need the words "by default".

src/java.base/share/classes/javax/security/auth/Subject.java line 324:

> 322:     }
> 323: 
> 324:     // Store the current subject to a ThreadLocal when a system property is set.

nit: "... in a ThreadLocal ..."

src/java.base/share/classes/javax/security/auth/Subject.java line 357:

> 355:      * is set to {@code true}, it will be retrieved from an inheritable
> 356:      * {@code ThreadLocal} object. This behavior is subject to change in a
> 357:      * future version.

Suggest rewording this to: "By default, this method returns the same value as {@code Subject.getSubject(AccessController.getContext())}. This preserves compatibility with code that may still be calling {@code doAs} which installs the subject in an {@code AccessControlContext}. However, if the system property {@systemProperty jdk.security.auth.subject.useTL} is set to {@code true}, the subject is retrieved from an inheritable {@code ThreadLocal} object. This implementation behavior is subject to change in a future version."

src/java.base/share/classes/javax/security/auth/Subject.java line 360:

> 358:      * <p>
> 359:      * No matter what storage is chosen, the current subject will
> 360:      * always be installed by the {@link #callAs} method.

I'm not really sure if this sentence is necessary. It seems like it doesn't need to be in the specification to me. The first sentence is clear enough to me: "The current subject is installed by the {@link #callAs} method."

src/java.base/share/classes/javax/security/auth/Subject.java line 362:

> 360:      * always be installed by the {@link #callAs} method.
> 361:      *
> 362:      * @return the current subject. The return value can be

Suggest to combine this into one sentence: the current subject, or {@code null} if a current subject is not installed or the current subject is set to {@code null}."

src/java.base/share/classes/javax/security/auth/Subject.java line 381:

> 379:      * @implNote
> 380:      * By default, this method calls {@link #doAs(Subject, PrivilegedExceptionAction)
> 381:      * Subject.doAs(subject, altAction)} to store the subject into

s/to store/which stores/

src/java.base/share/classes/javax/security/auth/Subject.java line 386:

> 384:      * modified to match the specification of this method.
> 385:      * If the system property {@code jdk.security.auth.subject.useTL}
> 386:      * is set to {@code true}, it will be stored in an inheritable

s/it/the subject/

src/java.base/share/classes/javax/security/auth/Subject.java line 387:

> 385:      * If the system property {@code jdk.security.auth.subject.useTL}
> 386:      * is set to {@code true}, it will be stored in an inheritable
> 387:      * {@code ThreadLocal} object. The behavior is subject to change in a


src/java.base/share/classes/javax/security/auth/Subject.java line 391:

> 389:      * <p>
> 390:      * No matter what storage is chosen, the current subject will
> 391:      * always be retrievable by the {@link #current} method.

Same comment as above.

src/java.base/share/classes/javax/security/auth/Subject.java line 394:

> 392:      *
> 393:      * @param subject the intended current subject for {@code action}.
> 394:      *                Can be {@code null}.

Is it necessary to allow `null` in the new `callAs` method? Is there a use case where this is useful? I know the `doAs` methods allowed it, but it looks like they simply call `AccessController.doPrivileged` in that case w/o a subject. Seems it would be simpler to not allow it and throw an NPE.

src/java.base/share/classes/javax/security/auth/Subject.java line 400:

> 398:      *            of {@code action}
> 399:      * @return the value returned by the {@code call} method of {@code action}
> 400:      * @throws NullPointerException if the {@code Callable} is {@code null}.

s/if the {@code Callable}/if {@code action}/
remove '.'

src/java.base/share/classes/javax/security/auth/Subject.java line 403:

> 401:      * @throws CompletionException if {@code action.call()} throws an
> 402:      *          exception, which will be the cause of this
> 403:      *          {@code CompletionException}.

Suggest to break this into two sentences: "if {@code action.call()} throws an exception. The cause of the           {@code CompletionException} is set to the exception thrown by {@code action.call()}."

test/jdk/javax/security/auth/Subject/CurrentSubject.java line 63:

> 61: 
> 62:     /**
> 63:      * Ensure the current subject is the expected Subject objet.

typo: objet -> object


PR: https://git.openjdk.java.net/jdk/pull/5024

More information about the security-dev mailing list