diff --git a/src/share/classes/java/security/ProtectionDomain.java b/src/share/classes/java/security/ProtectionDomain.java index b1778490f5a6dacc18e2250ff5e9999472bf5f7c..ffd2def18d108dcbd33819f34ea5cf70d90e6ad4 100644 --- a/src/share/classes/java/security/ProtectionDomain.java +++ b/src/share/classes/java/security/ProtectionDomain.java @@ -475,6 +475,11 @@ public class ProtectionDomain { } }; } + + @Override + public boolean getStaticPermissionsField(ProtectionDomain pd) { + return pd.staticPermissions; + } }); } } diff --git a/src/share/classes/javax/security/auth/SubjectDomainCombiner.java b/src/share/classes/javax/security/auth/SubjectDomainCombiner.java index da75d68342506ca3be7584b41d79a70c08b79199..89812d28476dfda6ca221a09c24db9f5c9df7388 100644 --- a/src/share/classes/javax/security/auth/SubjectDomainCombiner.java +++ b/src/share/classes/javax/security/auth/SubjectDomainCombiner.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -37,6 +37,8 @@ import java.security.Security; import java.util.Set; import java.util.WeakHashMap; import java.lang.ref.WeakReference; +import sun.misc.SharedSecrets; +import sun.misc.JavaSecurityProtectionDomainAccess; /** * A {@code SubjectDomainCombiner} updates ProtectionDomains @@ -65,6 +67,9 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner { private static final boolean allowCaching = (useJavaxPolicy && cachePolicy()); + private static final JavaSecurityProtectionDomainAccess pdAccess = + SharedSecrets.getJavaSecurityProtectionDomainAccess(); + /** * Associate the provided {@code Subject} with this * {@code SubjectDomainCombiner}. @@ -239,10 +244,16 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner { subjectPd = cachedPDs.getValue(pd); if (subjectPd == null) { - subjectPd = new ProtectionDomain(pd.getCodeSource(), + if (pdAccess.getStaticPermissionsField(pd)) { + // Need to keep static ProtectionDomain objects static + subjectPd = new ProtectionDomain(pd.getCodeSource(), + pd.getPermissions()); + } else { + subjectPd = new ProtectionDomain(pd.getCodeSource(), pd.getPermissions(), pd.getClassLoader(), principals); + } cachedPDs.putValue(pd, subjectPd); } else { allNew = false; @@ -341,60 +352,63 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner { ProtectionDomain subjectPd = cachedPDs.getValue(pd); if (subjectPd == null) { - - // XXX - // we must first add the original permissions. - // that way when we later add the new JAAS permissions, - // any unresolved JAAS-related permissions will - // automatically get resolved. - - // get the original perms - Permissions perms = new Permissions(); - PermissionCollection coll = pd.getPermissions(); - java.util.Enumeration e; - if (coll != null) { - synchronized (coll) { - e = coll.elements(); - while (e.hasMoreElements()) { - Permission newPerm = + if (pdAccess.getStaticPermissionsField(pd)) { + // keep static ProtectionDomain objects static + subjectPd = new ProtectionDomain(pd.getCodeSource(), + pd.getPermissions()); + } else { + // XXX + // we must first add the original permissions. + // that way when we later add the new JAAS permissions, + // any unresolved JAAS-related permissions will + // automatically get resolved. + + // get the original perms + Permissions perms = new Permissions(); + PermissionCollection coll = pd.getPermissions(); + java.util.Enumeration e; + if (coll != null) { + synchronized (coll) { + e = coll.elements(); + while (e.hasMoreElements()) { + Permission newPerm = e.nextElement(); - perms.add(newPerm); + perms.add(newPerm); + } } } - } - // get perms from the policy - - final java.security.CodeSource finalCs = pd.getCodeSource(); - final Subject finalS = subject; - PermissionCollection newPerms = - java.security.AccessController.doPrivileged - (new PrivilegedAction() { - @SuppressWarnings("deprecation") - public PermissionCollection run() { - return - javax.security.auth.Policy.getPolicy().getPermissions - (finalS, finalCs); - } - }); - - // add the newly granted perms, - // avoiding duplicates - synchronized (newPerms) { - e = newPerms.elements(); - while (e.hasMoreElements()) { - Permission newPerm = e.nextElement(); - if (!perms.implies(newPerm)) { - perms.add(newPerm); - if (debug != null) - debug.println ( - "Adding perm " + newPerm + "\n"); + // get perms from the policy + final java.security.CodeSource finalCs = pd.getCodeSource(); + final Subject finalS = subject; + PermissionCollection newPerms = + java.security.AccessController.doPrivileged + (new PrivilegedAction() { + @SuppressWarnings("deprecation") + public PermissionCollection run() { + return + javax.security.auth.Policy.getPolicy().getPermissions + (finalS, finalCs); + } + }); + + // add the newly granted perms, + // avoiding duplicates + synchronized (newPerms) { + e = newPerms.elements(); + while (e.hasMoreElements()) { + Permission newPerm = e.nextElement(); + if (!perms.implies(newPerm)) { + perms.add(newPerm); + if (debug != null) + debug.println ( + "Adding perm " + newPerm + "\n"); + } } } + subjectPd = new ProtectionDomain + (finalCs, perms, pd.getClassLoader(), principals); } - subjectPd = new ProtectionDomain - (finalCs, perms, pd.getClassLoader(), principals); - if (allowCaching) cachedPDs.putValue(pd, subjectPd); } diff --git a/src/share/classes/sun/misc/JavaSecurityProtectionDomainAccess.java b/src/share/classes/sun/misc/JavaSecurityProtectionDomainAccess.java index 95560ffab68210ca69a5ddc299b80e2780dc0204..3567f350f23cbc47ddfd5335840d702828db78a8 100644 --- a/src/share/classes/sun/misc/JavaSecurityProtectionDomainAccess.java +++ b/src/share/classes/sun/misc/JavaSecurityProtectionDomainAccess.java @@ -36,4 +36,9 @@ public interface JavaSecurityProtectionDomainAccess { * Returns the ProtectionDomainCache. */ ProtectionDomainCache getProtectionDomainCache(); + + /** + * Returns the staticPermissions field of the specified object + */ + boolean getStaticPermissionsField(ProtectionDomain pd); }