changeset 7031:42e68c7fbe98

8030655: Regression: 14_01 Security fix 8024306 causes test failures Reviewed-by: mullan, xuelei, ahgross
author weijun
date Wed, 15 Jan 2014 11:23:07 +0800
parents 4e3fb3d5d4bf
children 6d918cec0812
files src/share/classes/javax/security/auth/Subject.java
diffstat 1 files changed, 19 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/javax/security/auth/Subject.java	Mon Dec 23 14:29:27 2013 +0100
+++ b/src/share/classes/javax/security/auth/Subject.java	Wed Jan 15 11:23:07 2014 +0800
@@ -941,14 +941,30 @@
     /**
      * Reads this object from a stream (i.e., deserializes it)
      */
+    @SuppressWarnings("unchecked")
     private void readObject(java.io.ObjectInputStream s)
                 throws java.io.IOException, ClassNotFoundException {
 
-        s.defaultReadObject();
+        ObjectInputStream.GetField gf = s.readFields();
+
+        readOnly = gf.get("readOnly", false);
+
+        Set<Principal> inputPrincs = (Set<Principal>)gf.get("principals", null);
 
         // Rewrap the principals into a SecureSet
-        principals = Collections.synchronizedSet(new SecureSet<Principal>
-                                (this, PRINCIPAL_SET, principals));
+        if (inputPrincs == null) {
+            throw new NullPointerException
+                (ResourcesMgr.getString("invalid.null.input.s."));
+        }
+        try {
+            principals = Collections.synchronizedSet(new SecureSet<Principal>
+                                (this, PRINCIPAL_SET, inputPrincs));
+        } catch (NullPointerException npe) {
+            // Sometimes people deserialize the principals set only.
+            // Subject is not accessible, so just don't fail.
+            principals = Collections.synchronizedSet
+                        (new SecureSet<Principal>(this, PRINCIPAL_SET));
+        }
 
         // The Credential <code>Set</code> is not serialized, but we do not
         // want the default deserialization routine to set it to null.