changeset 8461:7e676266241c

8147771: Construction of static protection domains under Javax custom policy Summary: Changed SubjectDomainCombiner to combine static PD as is even when custom policy is enabled. Reviewed-by: valeriep
author igerasim
date Wed, 13 Jul 2016 19:08:47 +0100
parents bc57536c7f84
children 65d527f3b647
files src/share/classes/java/security/ProtectionDomain.java src/share/classes/javax/security/auth/SubjectDomainCombiner.java src/share/classes/sun/misc/JavaSecurityProtectionDomainAccess.java
diffstat 3 files changed, 72 insertions(+), 47 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/java/security/ProtectionDomain.java	Fri Feb 05 11:02:08 2016 +0100
+++ b/src/share/classes/java/security/ProtectionDomain.java	Wed Jul 13 19:08:47 2016 +0100
@@ -494,6 +494,11 @@
                         }
                     };
                 }
+
+                @Override
+                public boolean getStaticPermissionsField(ProtectionDomain pd) {
+                    return pd.staticPermissions;
+                }
             });
     }
 }
--- a/src/share/classes/javax/security/auth/SubjectDomainCombiner.java	Fri Feb 05 11:02:08 2016 +0100
+++ b/src/share/classes/javax/security/auth/SubjectDomainCombiner.java	Wed Jul 13 19:08:47 2016 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -37,6 +37,8 @@
 import java.util.Set;
 import java.util.WeakHashMap;
 import java.lang.ref.WeakReference;
+import sun.misc.SharedSecrets;
+import sun.misc.JavaSecurityProtectionDomainAccess;
 
 /**
  * A <code>SubjectDomainCombiner</code> updates ProtectionDomains
@@ -64,6 +66,9 @@
     private static final boolean allowCaching =
                                         (useJavaxPolicy && cachePolicy());
 
+    private static final JavaSecurityProtectionDomainAccess pdAccess =
+        SharedSecrets.getJavaSecurityProtectionDomainAccess();
+
     /**
      * Associate the provided <code>Subject</code> with this
      * <code>SubjectDomainCombiner</code>.
@@ -238,10 +243,16 @@
                 subjectPd = cachedPDs.getValue(pd);
 
                 if (subjectPd == null) {
-                    subjectPd = new ProtectionDomain(pd.getCodeSource(),
+                    if (pdAccess.getStaticPermissionsField(pd)) {
+                        // Need to keep static ProtectionDomain objects static
+                        subjectPd = new ProtectionDomain(pd.getCodeSource(),
+                                                pd.getPermissions());
+                    } else {
+                        subjectPd = new ProtectionDomain(pd.getCodeSource(),
                                                 pd.getPermissions(),
                                                 pd.getClassLoader(),
                                                 principals);
+                    }
                     cachedPDs.putValue(pd, subjectPd);
                 } else {
                     allNew = false;
@@ -338,59 +349,63 @@
                 ProtectionDomain subjectPd = cachedPDs.getValue(pd);
 
                 if (subjectPd == null) {
+                    if (pdAccess.getStaticPermissionsField(pd)) {
+                        // keep static ProtectionDomain objects static
+                        subjectPd = new ProtectionDomain(pd.getCodeSource(),
+                                                pd.getPermissions());
+                    } else {
+                        // XXX
+                        // we must first add the original permissions.
+                        // that way when we later add the new JAAS permissions,
+                        // any unresolved JAAS-related permissions will
+                        // automatically get resolved.
 
-                    // XXX
-                    // we must first add the original permissions.
-                    // that way when we later add the new JAAS permissions,
-                    // any unresolved JAAS-related permissions will
-                    // automatically get resolved.
-
-                    // get the original perms
-                    Permissions perms = new Permissions();
-                    PermissionCollection coll = pd.getPermissions();
-                    java.util.Enumeration e;
-                    if (coll != null) {
-                        synchronized (coll) {
-                            e = coll.elements();
-                            while (e.hasMoreElements()) {
-                                Permission newPerm =
-                                        (Permission)e.nextElement();
-                                 perms.add(newPerm);
+                        // get the original perms
+                        Permissions perms = new Permissions();
+                        PermissionCollection coll = pd.getPermissions();
+                        java.util.Enumeration<Permission> e;
+                        if (coll != null) {
+                            synchronized (coll) {
+                                e = coll.elements();
+                                while (e.hasMoreElements()) {
+                                    Permission newPerm =
+                                        e.nextElement();
+                                    perms.add(newPerm);
+                                }
                             }
                         }
-                    }
 
-                    // get perms from the policy
+                        // get perms from the policy
+                        final java.security.CodeSource finalCs = pd.getCodeSource();
+                        final Subject finalS = subject;
+                        PermissionCollection newPerms =
+                            java.security.AccessController.doPrivileged
+                            (new PrivilegedAction<PermissionCollection>() {
+                            @SuppressWarnings("deprecation")
+                            public PermissionCollection run() {
+                                return
+                                    javax.security.auth.Policy.getPolicy().getPermissions
+                                    (finalS, finalCs);
+                            }
+                        });
 
-                    final java.security.CodeSource finalCs = pd.getCodeSource();
-                    final Subject finalS = subject;
-                    PermissionCollection newPerms =
-                        java.security.AccessController.doPrivileged
-                        (new PrivilegedAction<PermissionCollection>() {
-                        public PermissionCollection run() {
-                          return
-                          javax.security.auth.Policy.getPolicy().getPermissions
-                                (finalS, finalCs);
-                        }
-                    });
-
-                    // add the newly granted perms,
-                    // avoiding duplicates
-                    synchronized (newPerms) {
-                        e = newPerms.elements();
-                        while (e.hasMoreElements()) {
-                            Permission newPerm = (Permission)e.nextElement();
-                            if (!perms.implies(newPerm)) {
-                                perms.add(newPerm);
-                                if (debug != null)
-                                    debug.println (
-                                        "Adding perm " + newPerm + "\n");
+                        // add the newly granted perms,
+                        // avoiding duplicates
+                        synchronized (newPerms) {
+                            e = newPerms.elements();
+                            while (e.hasMoreElements()) {
+                                Permission newPerm = e.nextElement();
+                                if (!perms.implies(newPerm)) {
+                                    perms.add(newPerm);
+                                    if (debug != null)
+                                        debug.println (
+                                            "Adding perm " + newPerm + "\n");
+                                }
                             }
                         }
+                        subjectPd = new ProtectionDomain
+                            (finalCs, perms, pd.getClassLoader(), principals);
                     }
-                    subjectPd = new ProtectionDomain
-                        (finalCs, perms, pd.getClassLoader(), principals);
-
                     if (allowCaching)
                         cachedPDs.putValue(pd, subjectPd);
                 }
--- a/src/share/classes/sun/misc/JavaSecurityProtectionDomainAccess.java	Fri Feb 05 11:02:08 2016 +0100
+++ b/src/share/classes/sun/misc/JavaSecurityProtectionDomainAccess.java	Wed Jul 13 19:08:47 2016 +0100
@@ -36,4 +36,9 @@
      * Returns the ProtectionDomainCache.
      */
     ProtectionDomainCache getProtectionDomainCache();
+
+    /**
+     * Returns the staticPermissions field of the specified object
+     */
+    boolean getStaticPermissionsField(ProtectionDomain pd);
 }