Subject.getPrincipals(), getPublicCredentials(), getPrivateCredentials() are inherently unsafe

[Sean Mullan]

On 1/1/20 1:25 PM, Roman Leventov wrote:
> If somebody tries to iterate these collections concurrently with 
> modification in another thread, the consequences are undefined.

Right, the javadoc is not clear on that.

> A possible fix is to use CopyOnWriteArrayList as SecureSet.elements 
> field instead of LinkedList.

A workaround is to synchronize on the returned collections when iterating.

Would you please consider filing a bug [1]? If you have a test case, 
please also attach it to the bug report.

Thanks,
Sean

[1] https://bugreport.java.com/bugreport/