提交 2aedf226 编写于 作者: I igerasim

8147771: Construction of static protection domains under Javax custom policy

Summary: Changed SubjectDomainCombiner to combine static PD as is even when custom policy is enabled.
Reviewed-by: valeriep
上级 71323e8a
...@@ -475,6 +475,11 @@ public class ProtectionDomain { ...@@ -475,6 +475,11 @@ public class ProtectionDomain {
} }
}; };
} }
@Override
public boolean getStaticPermissionsField(ProtectionDomain pd) {
return pd.staticPermissions;
}
}); });
} }
} }
/* /*
* Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -37,6 +37,8 @@ import java.security.Security; ...@@ -37,6 +37,8 @@ import java.security.Security;
import java.util.Set; import java.util.Set;
import java.util.WeakHashMap; import java.util.WeakHashMap;
import java.lang.ref.WeakReference; import java.lang.ref.WeakReference;
import sun.misc.SharedSecrets;
import sun.misc.JavaSecurityProtectionDomainAccess;
/** /**
* A {@code SubjectDomainCombiner} updates ProtectionDomains * A {@code SubjectDomainCombiner} updates ProtectionDomains
...@@ -65,6 +67,9 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner { ...@@ -65,6 +67,9 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner {
private static final boolean allowCaching = private static final boolean allowCaching =
(useJavaxPolicy && cachePolicy()); (useJavaxPolicy && cachePolicy());
private static final JavaSecurityProtectionDomainAccess pdAccess =
SharedSecrets.getJavaSecurityProtectionDomainAccess();
/** /**
* Associate the provided {@code Subject} with this * Associate the provided {@code Subject} with this
* {@code SubjectDomainCombiner}. * {@code SubjectDomainCombiner}.
...@@ -239,10 +244,16 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner { ...@@ -239,10 +244,16 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner {
subjectPd = cachedPDs.getValue(pd); subjectPd = cachedPDs.getValue(pd);
if (subjectPd == null) { if (subjectPd == null) {
subjectPd = new ProtectionDomain(pd.getCodeSource(), if (pdAccess.getStaticPermissionsField(pd)) {
// Need to keep static ProtectionDomain objects static
subjectPd = new ProtectionDomain(pd.getCodeSource(),
pd.getPermissions());
} else {
subjectPd = new ProtectionDomain(pd.getCodeSource(),
pd.getPermissions(), pd.getPermissions(),
pd.getClassLoader(), pd.getClassLoader(),
principals); principals);
}
cachedPDs.putValue(pd, subjectPd); cachedPDs.putValue(pd, subjectPd);
} else { } else {
allNew = false; allNew = false;
...@@ -341,60 +352,63 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner { ...@@ -341,60 +352,63 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner {
ProtectionDomain subjectPd = cachedPDs.getValue(pd); ProtectionDomain subjectPd = cachedPDs.getValue(pd);
if (subjectPd == null) { if (subjectPd == null) {
if (pdAccess.getStaticPermissionsField(pd)) {
// XXX // keep static ProtectionDomain objects static
// we must first add the original permissions. subjectPd = new ProtectionDomain(pd.getCodeSource(),
// that way when we later add the new JAAS permissions, pd.getPermissions());
// any unresolved JAAS-related permissions will } else {
// automatically get resolved. // XXX
// we must first add the original permissions.
// get the original perms // that way when we later add the new JAAS permissions,
Permissions perms = new Permissions(); // any unresolved JAAS-related permissions will
PermissionCollection coll = pd.getPermissions(); // automatically get resolved.
java.util.Enumeration<Permission> e;
if (coll != null) { // get the original perms
synchronized (coll) { Permissions perms = new Permissions();
e = coll.elements(); PermissionCollection coll = pd.getPermissions();
while (e.hasMoreElements()) { java.util.Enumeration<Permission> e;
Permission newPerm = if (coll != null) {
synchronized (coll) {
e = coll.elements();
while (e.hasMoreElements()) {
Permission newPerm =
e.nextElement(); e.nextElement();
perms.add(newPerm); perms.add(newPerm);
}
} }
} }
}
// get perms from the policy // get perms from the policy
final java.security.CodeSource finalCs = pd.getCodeSource();
final java.security.CodeSource finalCs = pd.getCodeSource(); final Subject finalS = subject;
final Subject finalS = subject; PermissionCollection newPerms =
PermissionCollection newPerms = java.security.AccessController.doPrivileged
java.security.AccessController.doPrivileged (new PrivilegedAction<PermissionCollection>() {
(new PrivilegedAction<PermissionCollection>() { @SuppressWarnings("deprecation")
@SuppressWarnings("deprecation") public PermissionCollection run() {
public PermissionCollection run() { return
return javax.security.auth.Policy.getPolicy().getPermissions
javax.security.auth.Policy.getPolicy().getPermissions (finalS, finalCs);
(finalS, finalCs); }
} });
});
// add the newly granted perms,
// add the newly granted perms, // avoiding duplicates
// avoiding duplicates synchronized (newPerms) {
synchronized (newPerms) { e = newPerms.elements();
e = newPerms.elements(); while (e.hasMoreElements()) {
while (e.hasMoreElements()) { Permission newPerm = e.nextElement();
Permission newPerm = e.nextElement(); if (!perms.implies(newPerm)) {
if (!perms.implies(newPerm)) { perms.add(newPerm);
perms.add(newPerm); if (debug != null)
if (debug != null) debug.println (
debug.println ( "Adding perm " + newPerm + "\n");
"Adding perm " + newPerm + "\n"); }
} }
} }
subjectPd = new ProtectionDomain
(finalCs, perms, pd.getClassLoader(), principals);
} }
subjectPd = new ProtectionDomain
(finalCs, perms, pd.getClassLoader(), principals);
if (allowCaching) if (allowCaching)
cachedPDs.putValue(pd, subjectPd); cachedPDs.putValue(pd, subjectPd);
} }
......
...@@ -36,4 +36,9 @@ public interface JavaSecurityProtectionDomainAccess { ...@@ -36,4 +36,9 @@ public interface JavaSecurityProtectionDomainAccess {
* Returns the ProtectionDomainCache. * Returns the ProtectionDomainCache.
*/ */
ProtectionDomainCache getProtectionDomainCache(); ProtectionDomainCache getProtectionDomainCache();
/**
* Returns the staticPermissions field of the specified object
*/
boolean getStaticPermissionsField(ProtectionDomain pd);
} }
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册