changeset 8341:e78b8cfe9db2

8021191: Add isAuthorized check to limited doPrivileged methods Reviewed-by: weijun, xuelei
author mullan
date Tue, 22 Oct 2013 08:03:16 -0400
parents 48bbb605fcd6
children 6d723c53eeae
files src/share/classes/java/security/AccessControlContext.java src/share/classes/java/security/AccessController.java
diffstat 2 files changed, 16 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/java/security/AccessControlContext.java	Fri Oct 16 15:41:54 2015 +0100
+++ b/src/share/classes/java/security/AccessControlContext.java	Tue Oct 22 08:03:16 2013 -0400
@@ -352,6 +352,10 @@
         return combiner;
     }
 
+    boolean isAuthorized() {
+        return isAuthorized;
+    }
+
     /**
      * Determines whether the access request indicated by the
      * specified permission should be allowed or denied, based on
--- a/src/share/classes/java/security/AccessController.java	Fri Oct 16 15:41:54 2015 +0100
+++ b/src/share/classes/java/security/AccessController.java	Tue Oct 22 08:03:16 2013 -0400
@@ -465,8 +465,18 @@
                       AccessControlContext parent, AccessControlContext context,
                       Permission[] perms)
     {
-        return new AccessControlContext(getCallerPD(caller), combiner, parent,
-                                        context, perms);
+        ProtectionDomain callerPD = getCallerPD(caller);
+        // check if caller is authorized to create context
+        if (context != null && !context.isAuthorized() &&
+            System.getSecurityManager() != null &&
+            !callerPD.impliesCreateAccessControlContext())
+        {
+            ProtectionDomain nullPD = new ProtectionDomain(null, null);
+            return new AccessControlContext(new ProtectionDomain[] { nullPD });
+        } else {
+            return new AccessControlContext(callerPD, combiner, parent,
+                                            context, perms);
+        }
     }
 
     private static ProtectionDomain getCallerPD(final Class <?> caller) {