From e3eb729d7581f3a5a4916010df2f146ca225bec0 Mon Sep 17 00:00:00 2001 From: xuelei Date: Thu, 24 Oct 2013 10:02:26 -0700 Subject: [PATCH] 8027204: Revise the update of 8026204 and 8025758 Summary: Rivise the update to use system class loader with null TCCL. Also reviewed by Alexander Fomin Reviewed-by: mchung, ahgross --- .../naming/internal/FactoryEnumeration.java | 1 - .../sun/naming/internal/VersionHelper12.java | 61 ++++-------------- .../security/auth/login/LoginContext.java | 62 +++---------------- 3 files changed, 21 insertions(+), 103 deletions(-) diff --git a/src/share/classes/com/sun/naming/internal/FactoryEnumeration.java b/src/share/classes/com/sun/naming/internal/FactoryEnumeration.java index 83b235dbe..0fe4864d9 100644 --- a/src/share/classes/com/sun/naming/internal/FactoryEnumeration.java +++ b/src/share/classes/com/sun/naming/internal/FactoryEnumeration.java @@ -83,7 +83,6 @@ public final class FactoryEnumeration { try { if (answer == null) { // reload class if weak ref cleared Class cls = Class.forName(className, true, loader); - VersionHelper12.checkPackageAccess(cls); answer = cls; } // Instantiate Class to get factory diff --git a/src/share/classes/com/sun/naming/internal/VersionHelper12.java b/src/share/classes/com/sun/naming/internal/VersionHelper12.java index 126d2781d..bf4586e7e 100644 --- a/src/share/classes/com/sun/naming/internal/VersionHelper12.java +++ b/src/share/classes/com/sun/naming/internal/VersionHelper12.java @@ -39,7 +39,6 @@ import java.util.NoSuchElementException; import java.util.Properties; import javax.naming.*; -import sun.reflect.misc.ReflectUtil; /** * VersionHelper was used by JNDI to accommodate differences between @@ -54,18 +53,6 @@ import sun.reflect.misc.ReflectUtil; final class VersionHelper12 extends VersionHelper { - // workaround to disable additional package access control with - // Thread Context Class Loader (TCCL). - private final static boolean noPackageAccessWithTCCL = "true".equals( - AccessController.doPrivileged( - new PrivilegedAction() { - public String run() { - return System.getProperty( - "com.sun.naming.untieAccessContextWithTCCL"); - } - } - )); - // Disallow external from creating one of these. VersionHelper12() { } @@ -83,9 +70,6 @@ final class VersionHelper12 extends VersionHelper { Class loadClass(String className, ClassLoader cl) throws ClassNotFoundException { Class cls = Class.forName(className, true, cl); - if (!noPackageAccessWithTCCL) { - checkPackageAccess(cls); - } return cls; } @@ -103,35 +87,6 @@ final class VersionHelper12 extends VersionHelper { return loadClass(className, cl); } - /** - * check package access of a class that is loaded with Thread Context - * Class Loader (TCCL). - * - * Similar to java.lang.ClassLoader.checkPackageAccess() - */ - static void checkPackageAccess(Class cls) { - final SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - if (ReflectUtil.isNonPublicProxyClass(cls)) { - for (Class intf: cls.getInterfaces()) { - checkPackageAccess(intf); - } - return; - } - - final String name = cls.getName(); - final int i = name.lastIndexOf('.'); - if (i != -1) { - AccessController.doPrivileged(new PrivilegedAction() { - public Void run() { - sm.checkPackageAccess(name.substring(0, i)); - return null; - } - }, AccessController.getContext()); - } - } - } - String getJndiProperty(final int i) { return AccessController.doPrivileged( new PrivilegedAction() { @@ -220,18 +175,24 @@ final class VersionHelper12 extends VersionHelper { /** * Package private. * - * This internal method makes use of Thread Context Class Loader (TCCL), - * please don't expose this method as public. + * This internal method returns Thread Context Class Loader (TCCL), + * if null, returns the system Class Loader. * - * Please take care of package access control on the current context - * whenever using TCCL. + * Please don't expose this method as public. */ ClassLoader getContextClassLoader() { return AccessController.doPrivileged( new PrivilegedAction() { public ClassLoader run() { - return Thread.currentThread().getContextClassLoader(); + ClassLoader loader = + Thread.currentThread().getContextClassLoader(); + if (loader == null) { + // Don't use bootstrap class loader directly! + loader = ClassLoader.getSystemClassLoader(); + } + + return loader; } } ); diff --git a/src/share/classes/javax/security/auth/login/LoginContext.java b/src/share/classes/javax/security/auth/login/LoginContext.java index 643688f4d..7f7f2357c 100644 --- a/src/share/classes/javax/security/auth/login/LoginContext.java +++ b/src/share/classes/javax/security/auth/login/LoginContext.java @@ -37,10 +37,8 @@ import javax.security.auth.AuthPermission; import javax.security.auth.callback.*; import java.security.AccessController; import java.security.AccessControlContext; -import java.security.PrivilegedAction; import sun.security.util.PendingException; import sun.security.util.ResourcesMgr; -import sun.reflect.misc.ReflectUtil; /** *

The {@code LoginContext} class describes the basic methods used @@ -227,19 +225,6 @@ public class LoginContext { private static final sun.security.util.Debug debug = sun.security.util.Debug.getInstance("logincontext", "\t[LoginContext]"); - // workaround to disable additional package access control with - // Thread Context Class Loader (TCCL). - private static final boolean noPackageAccessWithTCCL = "true".equals( - AccessController.doPrivileged( - new PrivilegedAction() { - public String run() { - return System.getProperty( - "auth.login.untieAccessContextWithTCCL"); - } - } - )); - - private void init(String name) throws LoginException { SecurityManager sm = System.getSecurityManager(); @@ -293,7 +278,15 @@ public class LoginContext { contextClassLoader = java.security.AccessController.doPrivileged (new java.security.PrivilegedAction() { public ClassLoader run() { - return Thread.currentThread().getContextClassLoader(); + ClassLoader loader = + Thread.currentThread().getContextClassLoader(); + if (loader == null) { + // Don't use bootstrap class loader directly to ensure + // proper package access control! + loader = ClassLoader.getSystemClassLoader(); + } + + return loader; } }); } @@ -713,17 +706,11 @@ public class LoginContext { // instantiate the LoginModule // // Allow any object to be a LoginModule as long as it - // conforms to the interface if no customized config or - // noPackageAccessWithTCCL is true. + // conforms to the interface. Class c = Class.forName( moduleStack[i].entry.getLoginModuleName(), true, contextClassLoader); - // check package access for customized config - if (!noPackageAccessWithTCCL && creatorAcc != null) { - c.asSubclass(javax.security.auth.spi.LoginModule.class); - checkPackageAccess(c, creatorAcc); - } Constructor constructor = c.getConstructor(PARAMS); Object[] args = { }; @@ -926,35 +913,6 @@ public class LoginContext { } } - /** - * check package access of a class that is loaded with Thread Context - * Class Loader (TCCL) with specified access control context. - * - * Similar to java.lang.ClassLoader.checkPackageAccess() - */ - static void checkPackageAccess(Class cls, AccessControlContext context) { - final SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - if (ReflectUtil.isNonPublicProxyClass(cls)) { - for (Class intf: cls.getInterfaces()) { - checkPackageAccess(intf, context); - } - return; - } - - final String name = cls.getName(); - final int i = name.lastIndexOf('.'); - if (i != -1) { - AccessController.doPrivileged(new PrivilegedAction() { - public Void run() { - sm.checkPackageAccess(name.substring(0, i)); - return null; - } - }, context); - } - } - } - /** * Wrap the caller-specified CallbackHandler in our own * and invoke it within a privileged block, constrained by -- GitLab