Post-JEP411 request: callAs(Supplier<Subject>) Re: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v4]

Chapman Flack chap at
Thu Oct 28 17:48:19 UTC 2021

On 10/28/21 13:25, Weijun Wang wrote:
>>> New `Subject` APIs `current()` and `callAs()` are created ...
>>> where the `callAs()` method stores the subject into a `ThreadLocal`
>>> object and the `current()` method returns it

That approach is simple and sweet. There is a case it doesn't cover,
where the Java runtime is embedded in a larger application where the
identity could change during upcalls from Java into the embedding app.

For those cases, it is better to be able to pass callAs a Supplier<Subject>
rather than a single unchanging Subject.

The effect was achievable in the pre-JEP411 world by installing
a suitably clever DomainCombiner, but with the current proposed replacement
the ability would be lost.

Naturally, it would be simple to support the callAs(Subject s) common case
as well, and simply store () -> s in the ThreadLocal.


More information about the security-dev mailing list