RFR: 8296244: Alternate implementation of user-based authorization Subject APIs that doesn’t depend on Security Manager APIs [v3]
Weijun Wang
weijun at openjdk.org
Mon Mar 4 19:54:45 UTC 2024
On Mon, 4 Mar 2024 15:28:28 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>>
>> fix MBeanServerFileAccessController, more test in SM
>
> src/java.management/share/classes/com/sun/jmx/remote/security/MBeanServerFileAccessController.java line 309:
>
>> 307: final Subject s;
>> 308: if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
>> 309: s = Subject.current();
>
> We may not want to call `Subject.current()` here, as this may imply that we will support this functionality even if an SM is not enabled.
I was not exactly sure if we will support this functionality. The class name has `AccessControler` and the method names use `checkAccess`, but they actually do not always depend on security manager.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/17472#discussion_r1511716084
More information about the security-dev
mailing list