8147771: Construction of static protection domains under Javax custom policy

Summary: Changed SubjectDomainCombiner to combine static PD as is even when custom policy is enabled. Reviewed-by: valeriep

8147771: Construction of static protection domains under Javax custom policy
Summary: Changed SubjectDomainCombiner to combine static PD as is even when custom policy is enabled. Reviewed-by: valeriep
2aedf226 · igerasim · 71323e8a · 2aedf226 · 2aedf226 · 2aedf226
3 changed file
--- a/src/share/classes/java/security/ProtectionDomain.java
+++ b/src/share/classes/java/security/ProtectionDomain.java
@@ -475,6 +475,11 @@ public class ProtectionDomain {
                        }
                    };
                }
+                @Override
+                public boolean getStaticPermissionsField(ProtectionDomain pd) {
+                    return pd.staticPermissions;
+                }
            });
    }
 }
--- a/src/share/classes/javax/security/auth/SubjectDomainCombiner.java
+++ b/src/share/classes/javax/security/auth/SubjectDomainCombiner.java
 /*
- * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -37,6 +37,8 @@ import java.security.Security;
 import java.util.Set;
 import java.util.WeakHashMap;
 import java.lang.ref.WeakReference;
+import sun.misc.SharedSecrets;
+import sun.misc.JavaSecurityProtectionDomainAccess;
 /**
 * A {@code SubjectDomainCombiner} updates ProtectionDomains
@@ -65,6 +67,9 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner {
    private static final boolean allowCaching =
                                        (useJavaxPolicy && cachePolicy());
+    private static final JavaSecurityProtectionDomainAccess pdAccess =
+        SharedSecrets.getJavaSecurityProtectionDomainAccess();
    /**
     * Associate the provided {@code Subject} with this
     * {@code SubjectDomainCombiner}.
@@ -239,10 +244,16 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner {
                subjectPd = cachedPDs.getValue(pd);
                if (subjectPd == null) {
-                    subjectPd = new ProtectionDomain(pd.getCodeSource(),
+                    if (pdAccess.getStaticPermissionsField(pd)) {
+                        // Need to keep static ProtectionDomain objects static
+                        subjectPd = new ProtectionDomain(pd.getCodeSource(),
+                                                pd.getPermissions());
+                    } else {
+                        subjectPd = new ProtectionDomain(pd.getCodeSource(),
                                                pd.getPermissions(),
                                                pd.getClassLoader(),
                                                principals);
+                    }
                    cachedPDs.putValue(pd, subjectPd);
                } else {
                    allNew = false;
@@ -341,60 +352,63 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner {
                ProtectionDomain subjectPd = cachedPDs.getValue(pd);
                if (subjectPd == null) {
+                    if (pdAccess.getStaticPermissionsField(pd)) {
-                    // XXX
+                        // keep static ProtectionDomain objects static
-                    // we must first add the original permissions.
+                        subjectPd = new ProtectionDomain(pd.getCodeSource(),
-                    // that way when we later add the new JAAS permissions,
+                                                pd.getPermissions());
-                    // any unresolved JAAS-related permissions will
+                    } else {
-                    // automatically get resolved.
+                        // XXX
+                        // we must first add the original permissions.
-                    // get the original perms
+                        // that way when we later add the new JAAS permissions,
-                    Permissions perms = new Permissions();
+                        // any unresolved JAAS-related permissions will
-                    PermissionCollection coll = pd.getPermissions();
+                        // automatically get resolved.
-                    java.util.Enumeration<Permission> e;
-                    if (coll != null) {
+                        // get the original perms
-                        synchronized (coll) {
+                        Permissions perms = new Permissions();
-                            e = coll.elements();
+                        PermissionCollection coll = pd.getPermissions();
-                            while (e.hasMoreElements()) {
+                        java.util.Enumeration<Permission> e;
-                                Permission newPerm =
+                        if (coll != null) {
+                            synchronized (coll) {
+                                e = coll.elements();
+                                while (e.hasMoreElements()) {
+                                    Permission newPerm =
                                        e.nextElement();
-                                 perms.add(newPerm);
+                                    perms.add(newPerm);
+                                }
                            }
                        }
-                    }
-                    // get perms from the policy
+                        // get perms from the policy
+                        final java.security.CodeSource finalCs = pd.getCodeSource();
-                    final java.security.CodeSource finalCs = pd.getCodeSource();
+                        final Subject finalS = subject;
-                    final Subject finalS = subject;
+                        PermissionCollection newPerms =
-                    PermissionCollection newPerms =
+                            java.security.AccessController.doPrivileged
-                        java.security.AccessController.doPrivileged
+                            (new PrivilegedAction<PermissionCollection>() {
-                        (new PrivilegedAction<PermissionCollection>() {
+                            @SuppressWarnings("deprecation")
-                        @SuppressWarnings("deprecation")
+                            public PermissionCollection run() {
-                        public PermissionCollection run() {
+                                return
-                          return
+                                    javax.security.auth.Policy.getPolicy().getPermissions
-                          javax.security.auth.Policy.getPolicy().getPermissions
+                                    (finalS, finalCs);
-                                (finalS, finalCs);
+                            }
-                        }
+                        });
-                    });
+                        // add the newly granted perms,
-                    // add the newly granted perms,
+                        // avoiding duplicates
-                    // avoiding duplicates
+                        synchronized (newPerms) {
-                    synchronized (newPerms) {
+                            e = newPerms.elements();
-                        e = newPerms.elements();
+                            while (e.hasMoreElements()) {
-                        while (e.hasMoreElements()) {
+                                Permission newPerm = e.nextElement();
-                            Permission newPerm = e.nextElement();
+                                if (!perms.implies(newPerm)) {
-                            if (!perms.implies(newPerm)) {
+                                    perms.add(newPerm);
-                                perms.add(newPerm);
+                                    if (debug != null)
-                                if (debug != null)
+                                        debug.println (
-                                    debug.println (
+                                            "Adding perm " + newPerm + "\n");
-                                        "Adding perm " + newPerm + "\n");
+                                }
                            }
                        }
+                        subjectPd = new ProtectionDomain
+                            (finalCs, perms, pd.getClassLoader(), principals);
                    }
-                    subjectPd = new ProtectionDomain
-                        (finalCs, perms, pd.getClassLoader(), principals);
                    if (allowCaching)
                        cachedPDs.putValue(pd, subjectPd);
                }

--- a/src/share/classes/sun/misc/JavaSecurityProtectionDomainAccess.java
+++ b/src/share/classes/sun/misc/JavaSecurityProtectionDomainAccess.java
@@ -36,4 +36,9 @@ public interface JavaSecurityProtectionDomainAccess {
     * Returns the ProtectionDomainCache.
     */
    ProtectionDomainCache getProtectionDomainCache();
+    /**
+     * Returns the staticPermissions field of the specified object
+     */
+    boolean getStaticPermissionsField(ProtectionDomain pd);
 }