8021191: Add isAuthorized check to limited doPrivileged methods

Reviewed-by: weijun, xuelei

src/share/classes/java/security/AccessControlContext.java

@@ -350,6 +350,10 @@ public final class AccessControlContext {
         return combiner;
     }
 
+    boolean isAuthorized() {
+        return isAuthorized;
+    }
+
     /**
      * Determines whether the access request indicated by the
      * specified permission should be allowed or denied, based on

src/share/classes/java/security/AccessController.java

@@ -344,9 +344,10 @@ public final class AccessController {
      * If the action's {@code run} method throws an (unchecked) exception,
      * it will propagate through this method.
      * <p>
-     * If a security manager is installed and the {@code AccessControlContext}
-     * was not created by system code and the caller's {@code ProtectionDomain}
-     * has not been granted the {@literal "createAccessControlContext"}
+     * If a security manager is installed and the specified
+     * {@code AccessControlContext} was not created by system code and the
+     * caller's {@code ProtectionDomain} has not been granted the
+     * {@literal "createAccessControlContext"}
      * {@link java.security.SecurityPermission}, then the action is performed
      * with no permissions.
      *
@@ -384,6 +385,13 @@ public final class AccessController {
      * <p>
      * If the action's {@code run} method throws an (unchecked) exception,
      * it will propagate through this method.
+     * <p>
+     * If a security manager is installed and the specified
+     * {@code AccessControlContext} was not created by system code and the
+     * caller's {@code ProtectionDomain} has not been granted the
+     * {@literal "createAccessControlContext"}
+     * {@link java.security.SecurityPermission}, then the action is performed
+     * with no permissions.
      *
      * @param <T> the type of the value returned by the PrivilegedAction's
      *                  {@code run} method.
@@ -438,6 +446,13 @@ public final class AccessController {
      *
      * <p> This method preserves the current AccessControlContext's
      * DomainCombiner (which may be null) while the action is performed.
+     * <p>
+     * If a security manager is installed and the specified
+     * {@code AccessControlContext} was not created by system code and the
+     * caller's {@code ProtectionDomain} has not been granted the
+     * {@literal "createAccessControlContext"}
+     * {@link java.security.SecurityPermission}, then the action is performed
+     * with no permissions.
      *
      * @param <T> the type of the value returned by the PrivilegedAction's
      *                  {@code run} method.
@@ -571,8 +586,18 @@ public final class AccessController {
                       AccessControlContext parent, AccessControlContext context,
                       Permission[] perms)
     {
-        return new AccessControlContext(getCallerPD(caller), combiner, parent,
-                                        context, perms);
+        ProtectionDomain callerPD = getCallerPD(caller);
+        // check if caller is authorized to create context
+        if (context != null && !context.isAuthorized() &&
+            System.getSecurityManager() != null &&
+            !callerPD.impliesCreateAccessControlContext())
+        {
+            ProtectionDomain nullPD = new ProtectionDomain(null, null);
+            return new AccessControlContext(new ProtectionDomain[] { nullPD });
+        } else {
+            return new AccessControlContext(callerPD, combiner, parent,
+                                            context, perms);
+        }
     }
 
     private static ProtectionDomain getCallerPD(final Class <?> caller) {
@@ -597,9 +622,10 @@ public final class AccessController {
      * If the action's {@code run} method throws an <i>unchecked</i>
      * exception, it will propagate through this method.
      * <p>
-     * If a security manager is installed and the {@code AccessControlContext}
-     * was not created by system code and the caller's {@code ProtectionDomain}
-     * has not been granted the {@literal "createAccessControlContext"}
+     * If a security manager is installed and the specified
+     * {@code AccessControlContext} was not created by system code and the
+     * caller's {@code ProtectionDomain} has not been granted the
+     * {@literal "createAccessControlContext"}
      * {@link java.security.SecurityPermission}, then the action is performed
      * with no permissions.
      *
@@ -641,6 +667,13 @@ public final class AccessController {
      * <p>
      * If the action's {@code run} method throws an (unchecked) exception,
      * it will propagate through this method.
+     * <p>
+     * If a security manager is installed and the specified
+     * {@code AccessControlContext} was not created by system code and the
+     * caller's {@code ProtectionDomain} has not been granted the
+     * {@literal "createAccessControlContext"}
+     * {@link java.security.SecurityPermission}, then the action is performed
+     * with no permissions.
      *
      * @param <T> the type of the value returned by the
      *                  PrivilegedExceptionAction's {@code run} method.
@@ -697,6 +730,13 @@ public final class AccessController {
      *
      * <p> This method preserves the current AccessControlContext's
      * DomainCombiner (which may be null) while the action is performed.
+     * <p>
+     * If a security manager is installed and the specified
+     * {@code AccessControlContext} was not created by system code and the
+     * caller's {@code ProtectionDomain} has not been granted the
+     * {@literal "createAccessControlContext"}
+     * {@link java.security.SecurityPermission}, then the action is performed
+     * with no permissions.
      *
      * @param <T> the type of the value returned by the
      *                  PrivilegedExceptionAction's {@code run} method.