RFR: 8296244: Alternate implementation of user-based authorization Subject APIs that doesn’t depend on Security Manager APIs [v3]
Weijun Wang
weijun at openjdk.org
Tue Mar 5 14:46:47 UTC 2024
On Tue, 5 Mar 2024 11:36:53 GMT, Kevin Walls <kevinw at openjdk.org> wrote:
>> I think we need @kevinjwalls or @dfuch to help advise on this.
>
> Right, this does not depend on the SM. All we need to do is get the Subject.
> This method implements the basic monitor (readonly) and control (readwrite) access.
> accessMap maps identity String to Access, and the checkAccess() method here will check the Subject by using of its Principal names as keys in that map.
Do you know where the subject is set? If it's set by a `doAs` call then it will co-operate with `current()` no matter if SM is allowed. I tried to search in the whole module and cannot find a `doAs` call. If it is also through `SubjectDomainCombiner` then it only works with SM.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/17472#discussion_r1512951092
More information about the serviceability-dev
mailing list