6633872: Policy/PolicyFile leak dynamic ProtectionDomains.

Reviewed-by: hawtin

6633872: Policy/PolicyFile leak dynamic ProtectionDomains.
Reviewed-by: hawtin
05ea9991 · mullan · 8c4a771b · 05ea9991 · 05ea9991 · 05ea9991
5 changed file
--- a/src/share/classes/java/security/Policy.java
+++ b/src/share/classes/java/security/Policy.java
 /*
- * Copyright 1997-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -28,19 +28,17 @@ package java.security;
 import java.io.*;
 import java.lang.RuntimePermission;
+import java.lang.reflect.*;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.Enumeration;
 import java.util.Hashtable;
-import java.util.Vector;
-import java.util.StringTokenizer;
 import java.util.PropertyPermission;
+import java.util.StringTokenizer;
-import java.lang.reflect.*;
+import java.util.Vector;
 import java.util.WeakHashMap;
-import sun.security.util.Debug;
 import sun.security.jca.GetInstance;
+import sun.security.util.Debug;
 import sun.security.util.SecurityConstants;
@@ -113,8 +111,8 @@ public abstract class Policy {
    private static final Debug debug = Debug.getInstance("policy");
-    // Cache mapping  ProtectionDomain to PermissionCollection
+    // Cache mapping ProtectionDomain.Key to PermissionCollection
-    private WeakHashMap<ProtectionDomain, PermissionCollection> pdMapping;
+    private WeakHashMap<ProtectionDomain.Key, PermissionCollection> pdMapping;
    /** package private for AccessControlContext */
    static boolean isSet()
@@ -307,7 +305,7 @@ public abstract class Policy {
        synchronized (p) {
            if (p.pdMapping == null) {
                p.pdMapping =
-                    new WeakHashMap<ProtectionDomain, PermissionCollection>();
+                    new WeakHashMap<ProtectionDomain.Key, PermissionCollection>();
           }
        }
@@ -323,7 +321,7 @@ public abstract class Policy {
            synchronized (p.pdMapping) {
                // cache of pd to permissions
-                p.pdMapping.put(policyDomain, policyPerms);
+                p.pdMapping.put(policyDomain.key, policyPerms);
            }
        }
        return;
@@ -638,7 +636,7 @@ public abstract class Policy {
        }
        synchronized (pdMapping) {
-            pc = pdMapping.get(domain);
+            pc = pdMapping.get(domain.key);
        }
        if (pc != null) {
@@ -697,7 +695,7 @@ public abstract class Policy {
        }
        synchronized (pdMapping) {
-            pc = pdMapping.get(domain);
+            pc = pdMapping.get(domain.key);
        }
        if (pc != null) {
@@ -711,7 +709,7 @@ public abstract class Policy {
        synchronized (pdMapping) {
            // cache it
-            pdMapping.put(domain, pc);
+            pdMapping.put(domain.key, pc);
        }
        return pc.implies(permission);
@@ -747,21 +745,25 @@ public abstract class Policy {
            this.params = params;
        }
-        public String getType() { return type; }
+        @Override public String getType() { return type; }
-        public Policy.Parameters getParameters() { return params; }
+        @Override public Policy.Parameters getParameters() { return params; }
-        public Provider getProvider() { return p; }
+        @Override public Provider getProvider() { return p; }
+        @Override
        public PermissionCollection getPermissions(CodeSource codesource) {
            return spi.engineGetPermissions(codesource);
        }
+        @Override
        public PermissionCollection getPermissions(ProtectionDomain domain) {
            return spi.engineGetPermissions(domain);
        }
+        @Override
        public boolean implies(ProtectionDomain domain, Permission perm) {
            return spi.engineImplies(domain, perm);
        }
+        @Override
        public void refresh() {
            spi.engineRefresh();
        }
@@ -803,7 +805,7 @@ public abstract class Policy {
         * @exception SecurityException - if this PermissionCollection object
         *                                has been marked readonly
         */
-        public void add(Permission permission) {
+        @Override public void add(Permission permission) {
            perms.add(permission);
        }
@@ -816,7 +818,7 @@ public abstract class Policy {
         * @return true if "permission" is implied by the  permissions in
         * the collection, false if not.
         */
-        public boolean implies(Permission permission) {
+        @Override public boolean implies(Permission permission) {
            return perms.implies(permission);
        }
@@ -826,7 +828,7 @@ public abstract class Policy {
         *
         * @return an enumeration of all the Permissions.
         */
-        public Enumeration<Permission> elements() {
+        @Override public Enumeration<Permission> elements() {
            return perms.elements();
        }
    }

--- a/src/share/classes/java/security/ProtectionDomain.java
+++ b/src/share/classes/java/security/ProtectionDomain.java
 /*
- * Copyright 1997-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -25,9 +25,15 @@
 package java.security;
+import java.util.ArrayList;
+import java.util.Collections;
 import java.util.Enumeration;
 import java.util.List;
-import java.util.ArrayList;
+import java.util.Map;
+import java.util.WeakHashMap;
+import sun.misc.JavaSecurityProtectionDomainAccess;
+import static sun.misc.JavaSecurityProtectionDomainAccess.ProtectionDomainCache;
+import sun.misc.SharedSecrets;
 import sun.security.util.Debug;
 import sun.security.util.SecurityConstants;
@@ -72,6 +78,11 @@ public class ProtectionDomain {
       or dynamic (via a policy refresh) */
    private boolean staticPermissions;
+    /*
+     * An object used as a key when the ProtectionDomain is stored in a Map.
+     */
+    final Key key = new Key();
    private static final Debug debug = Debug.getInstance("domain");
    /**
@@ -238,7 +249,7 @@ public class ProtectionDomain {
    /**
     * Convert a ProtectionDomain to a String.
     */
-    public String toString() {
+    @Override public String toString() {
        String pals = "<no principals>";
        if (principals != null && principals.length > 0) {
            StringBuilder palBuf = new StringBuilder("(principals ");
@@ -396,4 +407,29 @@ public class ProtectionDomain {
        return mergedPerms;
    }
+    /**
+     * Used for storing ProtectionDomains as keys in a Map.
+     */
+    final class Key {}
+    static {
+        SharedSecrets.setJavaSecurityProtectionDomainAccess(
+            new JavaSecurityProtectionDomainAccess() {
+                public ProtectionDomainCache getProtectionDomainCache() {
+                    return new ProtectionDomainCache() {
+                        private final Map<Key, PermissionCollection> map =
+                            Collections.synchronizedMap
+                                (new WeakHashMap<Key, PermissionCollection>());
+                        public void put(ProtectionDomain pd,
+                            PermissionCollection pc) {
+                            map.put((pd == null ? null : pd.key), pc);
+                        }
+                        public PermissionCollection get(ProtectionDomain pd) {
+                            return pd == null ? map.get(null) : map.get(pd.key);
+                        }
+                    };
+                }
+            });
+    }
 }
--- a/src/share/classes/sun/misc/JavaSecurityProtectionDomainAccess.java
+++ b/src/share/classes/sun/misc/JavaSecurityProtectionDomainAccess.java
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+package sun.misc;
+import java.security.PermissionCollection;
+import java.security.ProtectionDomain;
+public interface JavaSecurityProtectionDomainAccess {
+    interface ProtectionDomainCache {
+        void put(ProtectionDomain pd, PermissionCollection pc);
+        PermissionCollection get(ProtectionDomain pd);
+    }
+    /**
+     * Returns the ProtectionDomainCache.
+     */
+    ProtectionDomainCache getProtectionDomainCache();
+}
--- a/src/share/classes/sun/misc/SharedSecrets.java
+++ b/src/share/classes/sun/misc/SharedSecrets.java
 /*
- * Copyright 2002-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2002-2009 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -47,6 +47,7 @@ public class SharedSecrets {
    private static JavaNetAccess javaNetAccess;
    private static JavaNioAccess javaNioAccess;
    private static JavaIOFileDescriptorAccess javaIOFileDescriptorAccess;
+    private static JavaSecurityProtectionDomainAccess javaSecurityProtectionDomainAccess;
    public static JavaUtilJarAccess javaUtilJarAccess() {
        if (javaUtilJarAccess == null) {
@@ -113,4 +114,13 @@ public class SharedSecrets {
        return javaIOFileDescriptorAccess;
    }
+    public static void setJavaSecurityProtectionDomainAccess
+        (JavaSecurityProtectionDomainAccess jspda) {
+            javaSecurityProtectionDomainAccess = jspda;
+    }
+    public static JavaSecurityProtectionDomainAccess
+        getJavaSecurityProtectionDomainAccess() {
+            return javaSecurityProtectionDomainAccess;
+    }
 }
--- a/src/share/classes/sun/security/provider/PolicyFile.java
+++ b/src/share/classes/sun/security/provider/PolicyFile.java
 /*
- * Copyright 1997-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -65,6 +65,9 @@ import java.lang.reflect.ReflectPermission;
 import javax.sound.sampled.AudioPermission;
 import javax.net.ssl.SSLPermission;
 */
+import sun.misc.JavaSecurityProtectionDomainAccess;
+import static sun.misc.JavaSecurityProtectionDomainAccess.ProtectionDomainCache;
+import sun.misc.SharedSecrets;
 import sun.security.util.Password;
 import sun.security.util.PolicyUtil;
 import sun.security.util.PropertyExpander;
@@ -1105,7 +1108,7 @@ public class PolicyFile extends java.security.Policy {
    /**
     * Refreshes the policy object by re-reading all the policy files.
     */
-    public void refresh() {
+    @Override public void refresh() {
        init(url);
    }
@@ -1122,9 +1125,10 @@ public class PolicyFile extends java.security.Policy {
     *
     * @see java.security.ProtectionDomain
     */
+    @Override
    public boolean implies(ProtectionDomain pd, Permission p) {
        PolicyInfo pi = policyInfo.get();
-        Map<ProtectionDomain, PermissionCollection> pdMap = pi.getPdMapping();
+        ProtectionDomainCache pdMap = pi.getPdMapping();
        PermissionCollection pc = pdMap.get(pd);
@@ -1170,6 +1174,7 @@ public class PolicyFile extends java.security.Policy {
     * @return the Permissions granted to the provided
     *          <code>ProtectionDomain</code>.
     */
+    @Override
    public PermissionCollection getPermissions(ProtectionDomain domain) {
        Permissions perms = new Permissions();
@@ -1205,6 +1210,7 @@ public class PolicyFile extends java.security.Policy {
     *
     * @return the set of permissions according to the policy.
     */
+    @Override
    public PermissionCollection getPermissions(CodeSource codesource) {
        return getPermissions(new Permissions(), codesource);
    }
@@ -2198,7 +2204,7 @@ public class PolicyFile extends java.security.Policy {
            return codesource;
        }
-        public String toString(){
+        @Override public String toString(){
            StringBuilder sb = new StringBuilder();
            sb.append(ResourcesMgr.getString("("));
            sb.append(getCodeSource());
@@ -2334,7 +2340,7 @@ public class PolicyFile extends java.security.Policy {
         *
         * @return false.
         */
-        public boolean implies(Permission p) {
+        @Override public boolean implies(Permission p) {
            return false;
        }
@@ -2351,7 +2357,7 @@ public class PolicyFile extends java.security.Policy {
         * type (class) name, permission name, actions, and
         * certificates as this object.
         */
-        public boolean equals(Object obj) {
+        @Override public boolean equals(Object obj) {
            if (obj == this)
                return true;
@@ -2399,7 +2405,7 @@ public class PolicyFile extends java.security.Policy {
         *
         * @return a hash code value for this object.
         */
-        public int hashCode() {
+        @Override public int hashCode() {
            int hash = type.hashCode();
            if (name != null)
                hash ^= name.hashCode();
@@ -2418,7 +2424,7 @@ public class PolicyFile extends java.security.Policy {
         *
         * @return the empty string "".
         */
-        public String getActions() {
+        @Override public String getActions() {
            return "";
        }
@@ -2445,7 +2451,7 @@ public class PolicyFile extends java.security.Policy {
         *
         * @return information about this SelfPermission.
         */
-        public String toString() {
+        @Override public String toString() {
            return "(SelfPermission " + type + " " + name + " " + actions + ")";
        }
    }
@@ -2467,7 +2473,7 @@ public class PolicyFile extends java.security.Policy {
        final Map aliasMapping;
        // Maps ProtectionDomain to PermissionCollection
-        private final Map<ProtectionDomain, PermissionCollection>[] pdMapping;
+        private final ProtectionDomainCache[] pdMapping;
        private java.util.Random random;
        PolicyInfo(int numCaches) {
@@ -2476,16 +2482,17 @@ public class PolicyFile extends java.security.Policy {
                Collections.synchronizedList(new ArrayList<PolicyEntry>(2));
            aliasMapping = Collections.synchronizedMap(new HashMap(11));
-            pdMapping = new Map[numCaches];
+            pdMapping = new ProtectionDomainCache[numCaches];
+            JavaSecurityProtectionDomainAccess jspda
+                = SharedSecrets.getJavaSecurityProtectionDomainAccess();
            for (int i = 0; i < numCaches; i++) {
-                pdMapping[i] = Collections.synchronizedMap
+                pdMapping[i] = jspda.getProtectionDomainCache();
-                    (new WeakHashMap<ProtectionDomain, PermissionCollection>());
            }
            if (numCaches > 1) {
                random = new java.util.Random();
            }
        }
-        Map<ProtectionDomain, PermissionCollection> getPdMapping() {
+        ProtectionDomainCache getPdMapping() {
            if (pdMapping.length == 1) {
                return pdMapping[0];
            } else {