Subject.getPrincipals(), getPublicCredentials(), getPrivateCredentials() are inherently unsafe
Sean Mullan
sean.mullan at oracle.com
Thu Jan 2 15:01:35 UTC 2020
On 1/1/20 1:25 PM, Roman Leventov wrote:
> If somebody tries to iterate these collections concurrently with
> modification in another thread, the consequences are undefined.
Right, the javadoc is not clear on that.
> A possible fix is to use CopyOnWriteArrayList as SecureSet.elements
> field instead of LinkedList.
A workaround is to synchronize on the returned collections when iterating.
Would you please consider filing a bug [1]? If you have a test case,
please also attach it to the bug report.
Thanks,
Sean
[1] https://bugreport.java.com/bugreport/
More information about the security-dev
mailing list