8344420: Remove Security Manager dependencies from javax.security package
Reviewed-by: alanb, rriggs, wetmore
This commit is contained in:
parent
246552674c
commit
65c98e577f
src/java.base/share/classes
com/sun/security/ntlm
javax/security
test/jdk/javax/security/auth/login
Configuration
LoginContext
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 2010, 2022, Oracle and/or its affiliates. All rights reserved.
|
* Copyright (c) 2010, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -25,8 +25,6 @@
|
|||||||
|
|
||||||
package com.sun.security.ntlm;
|
package com.sun.security.ntlm;
|
||||||
|
|
||||||
import sun.security.action.GetBooleanAction;
|
|
||||||
|
|
||||||
import static com.sun.security.ntlm.Version.*;
|
import static com.sun.security.ntlm.Version.*;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.nio.charset.StandardCharsets;
|
import java.nio.charset.StandardCharsets;
|
||||||
@ -57,8 +55,7 @@ class NTLM {
|
|||||||
private final MessageDigest md4;
|
private final MessageDigest md4;
|
||||||
private final Mac hmac;
|
private final Mac hmac;
|
||||||
private final MessageDigest md5;
|
private final MessageDigest md5;
|
||||||
private static final boolean DEBUG
|
private static final boolean DEBUG = Boolean.getBoolean("ntlm.debug");
|
||||||
= GetBooleanAction.privilegedGetProperty("ntlm.debug");
|
|
||||||
|
|
||||||
final Version v;
|
final Version v;
|
||||||
|
|
||||||
|
@ -237,12 +237,6 @@ public final class Subject implements java.io.Serializable {
|
|||||||
* it can not be reset to being writable again.
|
* it can not be reset to being writable again.
|
||||||
*/
|
*/
|
||||||
public void setReadOnly() {
|
public void setReadOnly() {
|
||||||
@SuppressWarnings("removal")
|
|
||||||
java.lang.SecurityManager sm = System.getSecurityManager();
|
|
||||||
if (sm != null) {
|
|
||||||
sm.checkPermission(AuthPermissionHolder.SET_READ_ONLY_PERMISSION);
|
|
||||||
}
|
|
||||||
|
|
||||||
this.readOnly = true;
|
this.readOnly = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -305,7 +299,6 @@ public final class Subject implements java.io.Serializable {
|
|||||||
* @see #callAs(Subject, Callable)
|
* @see #callAs(Subject, Callable)
|
||||||
* @since 18
|
* @since 18
|
||||||
*/
|
*/
|
||||||
@SuppressWarnings("removal")
|
|
||||||
public static Subject current() {
|
public static Subject current() {
|
||||||
return SCOPED_SUBJECT.orElse(null);
|
return SCOPED_SUBJECT.orElse(null);
|
||||||
}
|
}
|
||||||
@ -375,16 +368,10 @@ public final class Subject implements java.io.Serializable {
|
|||||||
*
|
*
|
||||||
* @see #callAs(Subject, Callable)
|
* @see #callAs(Subject, Callable)
|
||||||
*/
|
*/
|
||||||
@SuppressWarnings("removal")
|
|
||||||
@Deprecated(since="18", forRemoval=true)
|
@Deprecated(since="18", forRemoval=true)
|
||||||
public static <T> T doAs(final Subject subject,
|
public static <T> T doAs(final Subject subject,
|
||||||
final java.security.PrivilegedAction<T> action) {
|
final java.security.PrivilegedAction<T> action) {
|
||||||
|
|
||||||
java.lang.SecurityManager sm = System.getSecurityManager();
|
|
||||||
if (sm != null) {
|
|
||||||
sm.checkPermission(AuthPermissionHolder.DO_AS_PERMISSION);
|
|
||||||
}
|
|
||||||
|
|
||||||
Objects.requireNonNull(action,
|
Objects.requireNonNull(action,
|
||||||
ResourcesMgr.getString("invalid.null.action.provided"));
|
ResourcesMgr.getString("invalid.null.action.provided"));
|
||||||
|
|
||||||
@ -441,17 +428,11 @@ public final class Subject implements java.io.Serializable {
|
|||||||
*
|
*
|
||||||
* @see #callAs(Subject, Callable)
|
* @see #callAs(Subject, Callable)
|
||||||
*/
|
*/
|
||||||
@SuppressWarnings("removal")
|
|
||||||
@Deprecated(since="18", forRemoval=true)
|
@Deprecated(since="18", forRemoval=true)
|
||||||
public static <T> T doAs(final Subject subject,
|
public static <T> T doAs(final Subject subject,
|
||||||
final java.security.PrivilegedExceptionAction<T> action)
|
final java.security.PrivilegedExceptionAction<T> action)
|
||||||
throws java.security.PrivilegedActionException {
|
throws java.security.PrivilegedActionException {
|
||||||
|
|
||||||
java.lang.SecurityManager sm = System.getSecurityManager();
|
|
||||||
if (sm != null) {
|
|
||||||
sm.checkPermission(AuthPermissionHolder.DO_AS_PERMISSION);
|
|
||||||
}
|
|
||||||
|
|
||||||
Objects.requireNonNull(action,
|
Objects.requireNonNull(action,
|
||||||
ResourcesMgr.getString("invalid.null.action.provided"));
|
ResourcesMgr.getString("invalid.null.action.provided"));
|
||||||
|
|
||||||
@ -514,11 +495,6 @@ public final class Subject implements java.io.Serializable {
|
|||||||
final java.security.PrivilegedAction<T> action,
|
final java.security.PrivilegedAction<T> action,
|
||||||
final java.security.AccessControlContext acc) {
|
final java.security.AccessControlContext acc) {
|
||||||
|
|
||||||
java.lang.SecurityManager sm = System.getSecurityManager();
|
|
||||||
if (sm != null) {
|
|
||||||
sm.checkPermission(AuthPermissionHolder.DO_AS_PRIVILEGED_PERMISSION);
|
|
||||||
}
|
|
||||||
|
|
||||||
Objects.requireNonNull(action,
|
Objects.requireNonNull(action,
|
||||||
ResourcesMgr.getString("invalid.null.action.provided"));
|
ResourcesMgr.getString("invalid.null.action.provided"));
|
||||||
|
|
||||||
@ -585,11 +561,6 @@ public final class Subject implements java.io.Serializable {
|
|||||||
final java.security.AccessControlContext acc)
|
final java.security.AccessControlContext acc)
|
||||||
throws java.security.PrivilegedActionException {
|
throws java.security.PrivilegedActionException {
|
||||||
|
|
||||||
java.lang.SecurityManager sm = System.getSecurityManager();
|
|
||||||
if (sm != null) {
|
|
||||||
sm.checkPermission(AuthPermissionHolder.DO_AS_PRIVILEGED_PERMISSION);
|
|
||||||
}
|
|
||||||
|
|
||||||
Objects.requireNonNull(action,
|
Objects.requireNonNull(action,
|
||||||
ResourcesMgr.getString("invalid.null.action.provided"));
|
ResourcesMgr.getString("invalid.null.action.provided"));
|
||||||
|
|
||||||
@ -609,25 +580,6 @@ public final class Subject implements java.io.Serializable {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("removal")
|
|
||||||
private static AccessControlContext createContext(final Subject subject,
|
|
||||||
final AccessControlContext acc) {
|
|
||||||
|
|
||||||
|
|
||||||
return java.security.AccessController.doPrivileged
|
|
||||||
(new java.security.PrivilegedAction<>() {
|
|
||||||
public AccessControlContext run() {
|
|
||||||
if (subject == null) {
|
|
||||||
return new AccessControlContext(acc, null);
|
|
||||||
} else {
|
|
||||||
return new AccessControlContext
|
|
||||||
(acc,
|
|
||||||
new SubjectDomainCombiner(subject));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Return the {@code Set} of Principals associated with this
|
* Return the {@code Set} of Principals associated with this
|
||||||
* {@code Subject}. Each {@code Principal} represents
|
* {@code Subject}. Each {@code Principal} represents
|
||||||
@ -713,14 +665,6 @@ public final class Subject implements java.io.Serializable {
|
|||||||
*/
|
*/
|
||||||
public Set<Object> getPrivateCredentials() {
|
public Set<Object> getPrivateCredentials() {
|
||||||
|
|
||||||
// XXX
|
|
||||||
// we do not need a security check for
|
|
||||||
// AuthPermission(getPrivateCredentials)
|
|
||||||
// because we already restrict access to private credentials
|
|
||||||
// via the PrivateCredentialPermission. all the extra AuthPermission
|
|
||||||
// would do is protect the set operations themselves
|
|
||||||
// (like size()), which don't seem security-sensitive.
|
|
||||||
|
|
||||||
// always return an empty Set instead of null
|
// always return an empty Set instead of null
|
||||||
// so LoginModules can add to the Set if necessary
|
// so LoginModules can add to the Set if necessary
|
||||||
return privCredentials;
|
return privCredentials;
|
||||||
@ -782,14 +726,6 @@ public final class Subject implements java.io.Serializable {
|
|||||||
*/
|
*/
|
||||||
public <T> Set<T> getPrivateCredentials(Class<T> c) {
|
public <T> Set<T> getPrivateCredentials(Class<T> c) {
|
||||||
|
|
||||||
// XXX
|
|
||||||
// we do not need a security check for
|
|
||||||
// AuthPermission(getPrivateCredentials)
|
|
||||||
// because we already restrict access to private credentials
|
|
||||||
// via the PrivateCredentialPermission. all the extra AuthPermission
|
|
||||||
// would do is protect the set operations themselves
|
|
||||||
// (like size()), which don't seem security-sensitive.
|
|
||||||
|
|
||||||
Objects.requireNonNull(c,
|
Objects.requireNonNull(c,
|
||||||
ResourcesMgr.getString("invalid.null.Class.provided"));
|
ResourcesMgr.getString("invalid.null.Class.provided"));
|
||||||
|
|
||||||
@ -857,15 +793,6 @@ public final class Subject implements java.io.Serializable {
|
|||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public String toString() {
|
public String toString() {
|
||||||
return toString(true);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* package private convenience method to print out the Subject
|
|
||||||
* without firing off a security check when trying to access
|
|
||||||
* the Private Credentials
|
|
||||||
*/
|
|
||||||
String toString(boolean includePrivateCredentials) {
|
|
||||||
|
|
||||||
String s = ResourcesMgr.getString("Subject.");
|
String s = ResourcesMgr.getString("Subject.");
|
||||||
String suffix = "";
|
String suffix = "";
|
||||||
@ -885,21 +812,19 @@ public final class Subject implements java.io.Serializable {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (includePrivateCredentials) {
|
synchronized(privCredentials) {
|
||||||
synchronized(privCredentials) {
|
Iterator<Object> pI = privCredentials.iterator();
|
||||||
Iterator<Object> pI = privCredentials.iterator();
|
while (pI.hasNext()) {
|
||||||
while (pI.hasNext()) {
|
try {
|
||||||
try {
|
Object o = pI.next();
|
||||||
Object o = pI.next();
|
suffix += ResourcesMgr.getString
|
||||||
suffix += ResourcesMgr.getString
|
(".Private.Credential.") +
|
||||||
(".Private.Credential.") +
|
o.toString() +
|
||||||
o.toString() +
|
ResourcesMgr.getString("NEWLINE");
|
||||||
ResourcesMgr.getString("NEWLINE");
|
} catch (SecurityException se) {
|
||||||
} catch (SecurityException se) {
|
suffix += ResourcesMgr.getString
|
||||||
suffix += ResourcesMgr.getString
|
(".Private.Credential.inaccessible.");
|
||||||
(".Private.Credential.inaccessible.");
|
break;
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1091,22 +1016,6 @@ public final class Subject implements java.io.Serializable {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public E next() {
|
public E next() {
|
||||||
if (which != Subject.PRIV_CREDENTIAL_SET) {
|
|
||||||
return i.next();
|
|
||||||
}
|
|
||||||
|
|
||||||
@SuppressWarnings("removal")
|
|
||||||
SecurityManager sm = System.getSecurityManager();
|
|
||||||
if (sm != null) {
|
|
||||||
try {
|
|
||||||
sm.checkPermission(new PrivateCredentialPermission
|
|
||||||
(list.get(i.nextIndex()).getClass().getName(),
|
|
||||||
subject.getPrincipals()));
|
|
||||||
} catch (SecurityException se) {
|
|
||||||
i.next();
|
|
||||||
throw (se);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return i.next();
|
return i.next();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1117,21 +1026,6 @@ public final class Subject implements java.io.Serializable {
|
|||||||
("Subject.is.read.only"));
|
("Subject.is.read.only"));
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("removal")
|
|
||||||
java.lang.SecurityManager sm = System.getSecurityManager();
|
|
||||||
if (sm != null) {
|
|
||||||
switch (which) {
|
|
||||||
case Subject.PRINCIPAL_SET:
|
|
||||||
sm.checkPermission(AuthPermissionHolder.MODIFY_PRINCIPALS_PERMISSION);
|
|
||||||
break;
|
|
||||||
case Subject.PUB_CREDENTIAL_SET:
|
|
||||||
sm.checkPermission(AuthPermissionHolder.MODIFY_PUBLIC_CREDENTIALS_PERMISSION);
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
sm.checkPermission(AuthPermissionHolder.MODIFY_PRIVATE_CREDENTIALS_PERMISSION);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
i.remove();
|
i.remove();
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
@ -1147,22 +1041,6 @@ public final class Subject implements java.io.Serializable {
|
|||||||
(ResourcesMgr.getString("Subject.is.read.only"));
|
(ResourcesMgr.getString("Subject.is.read.only"));
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("removal")
|
|
||||||
java.lang.SecurityManager sm = System.getSecurityManager();
|
|
||||||
if (sm != null) {
|
|
||||||
switch (which) {
|
|
||||||
case Subject.PRINCIPAL_SET:
|
|
||||||
sm.checkPermission(AuthPermissionHolder.MODIFY_PRINCIPALS_PERMISSION);
|
|
||||||
break;
|
|
||||||
case Subject.PUB_CREDENTIAL_SET:
|
|
||||||
sm.checkPermission(AuthPermissionHolder.MODIFY_PUBLIC_CREDENTIALS_PERMISSION);
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
sm.checkPermission(AuthPermissionHolder.MODIFY_PRIVATE_CREDENTIALS_PERMISSION);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
switch (which) {
|
switch (which) {
|
||||||
case Subject.PRINCIPAL_SET:
|
case Subject.PRINCIPAL_SET:
|
||||||
if (!(o instanceof Principal)) {
|
if (!(o instanceof Principal)) {
|
||||||
@ -1180,10 +1058,9 @@ public final class Subject implements java.io.Serializable {
|
|||||||
return elements.add(o);
|
return elements.add(o);
|
||||||
else {
|
else {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("removal")
|
|
||||||
public boolean remove(Object o) {
|
public boolean remove(Object o) {
|
||||||
|
|
||||||
Objects.requireNonNull(o,
|
Objects.requireNonNull(o,
|
||||||
@ -1191,17 +1068,7 @@ public final class Subject implements java.io.Serializable {
|
|||||||
|
|
||||||
final Iterator<E> e = iterator();
|
final Iterator<E> e = iterator();
|
||||||
while (e.hasNext()) {
|
while (e.hasNext()) {
|
||||||
E next;
|
E next = e.next();
|
||||||
if (which != Subject.PRIV_CREDENTIAL_SET) {
|
|
||||||
next = e.next();
|
|
||||||
} else {
|
|
||||||
next = java.security.AccessController.doPrivileged
|
|
||||||
(new java.security.PrivilegedAction<E>() {
|
|
||||||
public E run() {
|
|
||||||
return e.next();
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
if (next.equals(o)) {
|
if (next.equals(o)) {
|
||||||
e.remove();
|
e.remove();
|
||||||
@ -1211,7 +1078,6 @@ public final class Subject implements java.io.Serializable {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("removal")
|
|
||||||
public boolean contains(Object o) {
|
public boolean contains(Object o) {
|
||||||
|
|
||||||
Objects.requireNonNull(o,
|
Objects.requireNonNull(o,
|
||||||
@ -1219,30 +1085,7 @@ public final class Subject implements java.io.Serializable {
|
|||||||
|
|
||||||
final Iterator<E> e = iterator();
|
final Iterator<E> e = iterator();
|
||||||
while (e.hasNext()) {
|
while (e.hasNext()) {
|
||||||
E next;
|
E next = e.next();
|
||||||
if (which != Subject.PRIV_CREDENTIAL_SET) {
|
|
||||||
next = e.next();
|
|
||||||
} else {
|
|
||||||
|
|
||||||
// For private credentials:
|
|
||||||
// If the caller does not have read permission
|
|
||||||
// for o.getClass(), we throw a SecurityException.
|
|
||||||
// Otherwise, we check the private cred set to see whether
|
|
||||||
// it contains the Object
|
|
||||||
|
|
||||||
SecurityManager sm = System.getSecurityManager();
|
|
||||||
if (sm != null) {
|
|
||||||
sm.checkPermission(new PrivateCredentialPermission
|
|
||||||
(o.getClass().getName(),
|
|
||||||
subject.getPrincipals()));
|
|
||||||
}
|
|
||||||
next = java.security.AccessController.doPrivileged
|
|
||||||
(new java.security.PrivilegedAction<E>() {
|
|
||||||
public E run() {
|
|
||||||
return e.next();
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
if (next.equals(o)) {
|
if (next.equals(o)) {
|
||||||
return true;
|
return true;
|
||||||
@ -1263,24 +1106,13 @@ public final class Subject implements java.io.Serializable {
|
|||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("removal")
|
|
||||||
public boolean removeAll(Collection<?> c) {
|
public boolean removeAll(Collection<?> c) {
|
||||||
c = collectionNullClean(c);
|
c = collectionNullClean(c);
|
||||||
|
|
||||||
boolean modified = false;
|
boolean modified = false;
|
||||||
final Iterator<E> e = iterator();
|
final Iterator<E> e = iterator();
|
||||||
while (e.hasNext()) {
|
while (e.hasNext()) {
|
||||||
E next;
|
E next = e.next();
|
||||||
if (which != Subject.PRIV_CREDENTIAL_SET) {
|
|
||||||
next = e.next();
|
|
||||||
} else {
|
|
||||||
next = java.security.AccessController.doPrivileged
|
|
||||||
(new java.security.PrivilegedAction<E>() {
|
|
||||||
public E run() {
|
|
||||||
return e.next();
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
for (Object o : c) {
|
for (Object o : c) {
|
||||||
if (next.equals(o)) {
|
if (next.equals(o)) {
|
||||||
@ -1305,24 +1137,13 @@ public final class Subject implements java.io.Serializable {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("removal")
|
|
||||||
public boolean retainAll(Collection<?> c) {
|
public boolean retainAll(Collection<?> c) {
|
||||||
c = collectionNullClean(c);
|
c = collectionNullClean(c);
|
||||||
|
|
||||||
boolean modified = false;
|
boolean modified = false;
|
||||||
final Iterator<E> e = iterator();
|
final Iterator<E> e = iterator();
|
||||||
while (e.hasNext()) {
|
while (e.hasNext()) {
|
||||||
E next;
|
E next = e.next();
|
||||||
if (which != Subject.PRIV_CREDENTIAL_SET) {
|
|
||||||
next = e.next();
|
|
||||||
} else {
|
|
||||||
next = java.security.AccessController.doPrivileged
|
|
||||||
(new java.security.PrivilegedAction<E>() {
|
|
||||||
public E run() {
|
|
||||||
return e.next();
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
if (c.contains(next) == false) {
|
if (c.contains(next) == false) {
|
||||||
e.remove();
|
e.remove();
|
||||||
@ -1333,21 +1154,10 @@ public final class Subject implements java.io.Serializable {
|
|||||||
return modified;
|
return modified;
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("removal")
|
|
||||||
public void clear() {
|
public void clear() {
|
||||||
final Iterator<E> e = iterator();
|
final Iterator<E> e = iterator();
|
||||||
while (e.hasNext()) {
|
while (e.hasNext()) {
|
||||||
E next;
|
E next = e.next();
|
||||||
if (which != Subject.PRIV_CREDENTIAL_SET) {
|
|
||||||
next = e.next();
|
|
||||||
} else {
|
|
||||||
next = java.security.AccessController.doPrivileged
|
|
||||||
(new java.security.PrivilegedAction<E>() {
|
|
||||||
public E run() {
|
|
||||||
return e.next();
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
|
||||||
e.remove();
|
e.remove();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1357,30 +1167,10 @@ public final class Subject implements java.io.Serializable {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public Object[] toArray() {
|
public Object[] toArray() {
|
||||||
final Iterator<E> e = iterator();
|
|
||||||
while (e.hasNext()) {
|
|
||||||
// The next() method performs a security manager check
|
|
||||||
// on each element in the SecureSet. If we make it all
|
|
||||||
// the way through we should be able to simply return
|
|
||||||
// element's toArray results. Otherwise, we'll let
|
|
||||||
// the SecurityException pass up the call stack.
|
|
||||||
e.next();
|
|
||||||
}
|
|
||||||
|
|
||||||
return elements.toArray();
|
return elements.toArray();
|
||||||
}
|
}
|
||||||
|
|
||||||
public <T> T[] toArray(T[] a) {
|
public <T> T[] toArray(T[] a) {
|
||||||
final Iterator<E> e = iterator();
|
|
||||||
while (e.hasNext()) {
|
|
||||||
// The next() method performs a security manager check
|
|
||||||
// on each element in the SecureSet. If we make it all
|
|
||||||
// the way through we should be able to simply return
|
|
||||||
// element's toArray results. Otherwise, we'll let
|
|
||||||
// the SecurityException pass up the call stack.
|
|
||||||
e.next();
|
|
||||||
}
|
|
||||||
|
|
||||||
return elements.toArray(a);
|
return elements.toArray(a);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1425,13 +1215,6 @@ public final class Subject implements java.io.Serializable {
|
|||||||
private void writeObject(java.io.ObjectOutputStream oos)
|
private void writeObject(java.io.ObjectOutputStream oos)
|
||||||
throws java.io.IOException {
|
throws java.io.IOException {
|
||||||
|
|
||||||
if (which == Subject.PRIV_CREDENTIAL_SET) {
|
|
||||||
// check permissions before serializing
|
|
||||||
Iterator<E> i = iterator();
|
|
||||||
while (i.hasNext()) {
|
|
||||||
i.next();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
ObjectOutputStream.PutField fields = oos.putFields();
|
ObjectOutputStream.PutField fields = oos.putFields();
|
||||||
fields.put("this$0", subject);
|
fields.put("this$0", subject);
|
||||||
fields.put("elements", elements);
|
fields.put("elements", elements);
|
||||||
@ -1490,7 +1273,7 @@ public final class Subject implements java.io.Serializable {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings({"removal","unchecked"}) /*To suppress warning from line 1374*/
|
@SuppressWarnings("unchecked")
|
||||||
private void populateSet() {
|
private void populateSet() {
|
||||||
final Iterator<?> iterator;
|
final Iterator<?> iterator;
|
||||||
switch(which) {
|
switch(which) {
|
||||||
@ -1505,34 +1288,10 @@ public final class Subject implements java.io.Serializable {
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check whether the caller has permission to get
|
|
||||||
// credentials of Class c
|
|
||||||
|
|
||||||
while (iterator.hasNext()) {
|
while (iterator.hasNext()) {
|
||||||
Object next;
|
Object next = iterator.next();
|
||||||
if (which == Subject.PRIV_CREDENTIAL_SET) {
|
|
||||||
next = java.security.AccessController.doPrivileged
|
|
||||||
(new java.security.PrivilegedAction<>() {
|
|
||||||
public Object run() {
|
|
||||||
return iterator.next();
|
|
||||||
}
|
|
||||||
});
|
|
||||||
} else {
|
|
||||||
next = iterator.next();
|
|
||||||
}
|
|
||||||
if (c.isAssignableFrom(next.getClass())) {
|
if (c.isAssignableFrom(next.getClass())) {
|
||||||
if (which != Subject.PRIV_CREDENTIAL_SET) {
|
set.add((T)next);
|
||||||
set.add((T)next);
|
|
||||||
} else {
|
|
||||||
// Check permission for private creds
|
|
||||||
SecurityManager sm = System.getSecurityManager();
|
|
||||||
if (sm != null) {
|
|
||||||
sm.checkPermission(new PrivateCredentialPermission
|
|
||||||
(next.getClass().getName(),
|
|
||||||
Subject.this.getPrincipals()));
|
|
||||||
}
|
|
||||||
set.add((T)next);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1560,27 +1319,4 @@ public final class Subject implements java.io.Serializable {
|
|||||||
return set.add(o);
|
return set.add(o);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static final class AuthPermissionHolder {
|
|
||||||
static final AuthPermission DO_AS_PERMISSION =
|
|
||||||
new AuthPermission("doAs");
|
|
||||||
|
|
||||||
static final AuthPermission DO_AS_PRIVILEGED_PERMISSION =
|
|
||||||
new AuthPermission("doAsPrivileged");
|
|
||||||
|
|
||||||
static final AuthPermission SET_READ_ONLY_PERMISSION =
|
|
||||||
new AuthPermission("setReadOnly");
|
|
||||||
|
|
||||||
static final AuthPermission GET_SUBJECT_PERMISSION =
|
|
||||||
new AuthPermission("getSubject");
|
|
||||||
|
|
||||||
static final AuthPermission MODIFY_PRINCIPALS_PERMISSION =
|
|
||||||
new AuthPermission("modifyPrincipals");
|
|
||||||
|
|
||||||
static final AuthPermission MODIFY_PUBLIC_CREDENTIALS_PERMISSION =
|
|
||||||
new AuthPermission("modifyPublicCredentials");
|
|
||||||
|
|
||||||
static final AuthPermission MODIFY_PRIVATE_CREDENTIALS_PERMISSION =
|
|
||||||
new AuthPermission("modifyPrivateCredentials");
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
@ -25,9 +25,7 @@
|
|||||||
|
|
||||||
package javax.security.auth;
|
package javax.security.auth;
|
||||||
|
|
||||||
import java.security.AccessController;
|
|
||||||
import java.security.Principal;
|
import java.security.Principal;
|
||||||
import java.security.PrivilegedAction;
|
|
||||||
import java.security.ProtectionDomain;
|
import java.security.ProtectionDomain;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
import java.util.WeakHashMap;
|
import java.util.WeakHashMap;
|
||||||
@ -84,11 +82,6 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner {
|
|||||||
* {@code SubjectDomainCombiner}.
|
* {@code SubjectDomainCombiner}.
|
||||||
*/
|
*/
|
||||||
public Subject getSubject() {
|
public Subject getSubject() {
|
||||||
java.lang.SecurityManager sm = System.getSecurityManager();
|
|
||||||
if (sm != null) {
|
|
||||||
sm.checkPermission(new AuthPermission
|
|
||||||
("getSubjectFromDomainCombiner"));
|
|
||||||
}
|
|
||||||
return subject;
|
return subject;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -144,14 +137,7 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner {
|
|||||||
if (subject == null) {
|
if (subject == null) {
|
||||||
debug.println("null subject");
|
debug.println("null subject");
|
||||||
} else {
|
} else {
|
||||||
final Subject s = subject;
|
debug.println(subject.toString());
|
||||||
AccessController.doPrivileged
|
|
||||||
(new java.security.PrivilegedAction<Void>() {
|
|
||||||
public Void run() {
|
|
||||||
debug.println(s.toString());
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
}
|
||||||
printInputDomains(currentDomains, assignedDomains);
|
printInputDomains(currentDomains, assignedDomains);
|
||||||
}
|
}
|
||||||
@ -349,11 +335,7 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner {
|
|||||||
if (pd == null) {
|
if (pd == null) {
|
||||||
return "null";
|
return "null";
|
||||||
}
|
}
|
||||||
return AccessController.doPrivileged(new PrivilegedAction<String>() {
|
return pd.toString();
|
||||||
public String run() {
|
|
||||||
return pd.toString();
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -25,12 +25,6 @@
|
|||||||
|
|
||||||
package javax.security.auth.login;
|
package javax.security.auth.login;
|
||||||
|
|
||||||
import javax.security.auth.AuthPermission;
|
|
||||||
|
|
||||||
import java.security.AccessController;
|
|
||||||
import java.security.PrivilegedAction;
|
|
||||||
import java.security.PrivilegedExceptionAction;
|
|
||||||
import java.security.PrivilegedActionException;
|
|
||||||
import java.security.NoSuchAlgorithmException;
|
import java.security.NoSuchAlgorithmException;
|
||||||
import java.security.NoSuchProviderException;
|
import java.security.NoSuchProviderException;
|
||||||
import java.security.Provider;
|
import java.security.Provider;
|
||||||
@ -190,19 +184,6 @@ public abstract class Configuration {
|
|||||||
|
|
||||||
private static Configuration configuration;
|
private static Configuration configuration;
|
||||||
|
|
||||||
@SuppressWarnings("removal")
|
|
||||||
private final java.security.AccessControlContext acc =
|
|
||||||
java.security.AccessController.getContext();
|
|
||||||
|
|
||||||
private static void checkPermission(String type) {
|
|
||||||
@SuppressWarnings("removal")
|
|
||||||
SecurityManager sm = System.getSecurityManager();
|
|
||||||
if (sm != null) {
|
|
||||||
sm.checkPermission(new AuthPermission
|
|
||||||
("createLoginConfiguration." + type));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Sole constructor. (For invocation by subclass constructors, typically
|
* Sole constructor. (For invocation by subclass constructors, typically
|
||||||
* implicit.)
|
* implicit.)
|
||||||
@ -219,64 +200,29 @@ public abstract class Configuration {
|
|||||||
*
|
*
|
||||||
* @see #setConfiguration
|
* @see #setConfiguration
|
||||||
*/
|
*/
|
||||||
@SuppressWarnings("removal")
|
|
||||||
public static Configuration getConfiguration() {
|
public static Configuration getConfiguration() {
|
||||||
|
|
||||||
SecurityManager sm = System.getSecurityManager();
|
|
||||||
if (sm != null)
|
|
||||||
sm.checkPermission(new AuthPermission("getLoginConfiguration"));
|
|
||||||
|
|
||||||
synchronized (Configuration.class) {
|
synchronized (Configuration.class) {
|
||||||
if (configuration == null) {
|
if (configuration == null) {
|
||||||
String config_class = null;
|
String config_class = Security.getProperty
|
||||||
config_class = AccessController.doPrivileged
|
("login.configuration.provider");
|
||||||
(new PrivilegedAction<>() {
|
|
||||||
public String run() {
|
|
||||||
return java.security.Security.getProperty
|
|
||||||
("login.configuration.provider");
|
|
||||||
}
|
|
||||||
});
|
|
||||||
if (config_class == null) {
|
if (config_class == null) {
|
||||||
config_class = "sun.security.provider.ConfigFile";
|
config_class = "sun.security.provider.ConfigFile";
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
final String finalClass = config_class;
|
Class<? extends Configuration> implClass = Class.forName(
|
||||||
Configuration untrustedImpl = AccessController.doPrivileged(
|
config_class, false,
|
||||||
new PrivilegedExceptionAction<>() {
|
Thread.currentThread().getContextClassLoader()
|
||||||
public Configuration run() throws ClassNotFoundException,
|
).asSubclass(Configuration.class);
|
||||||
InstantiationException,
|
@SuppressWarnings("deprecation")
|
||||||
IllegalAccessException {
|
Configuration result = implClass.newInstance();
|
||||||
Class<? extends Configuration> implClass = Class.forName(
|
setConfiguration(result);
|
||||||
finalClass, false,
|
} catch (ReflectiveOperationException e) {
|
||||||
Thread.currentThread().getContextClassLoader()
|
throw new SecurityException
|
||||||
).asSubclass(Configuration.class);
|
("Configuration error: " +
|
||||||
@SuppressWarnings("deprecation")
|
e.toString() +
|
||||||
Configuration result = implClass.newInstance();
|
"\n", e);
|
||||||
return result;
|
|
||||||
}
|
|
||||||
});
|
|
||||||
AccessController.doPrivileged(
|
|
||||||
new PrivilegedExceptionAction<>() {
|
|
||||||
public Void run() {
|
|
||||||
setConfiguration(untrustedImpl);
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}, Objects.requireNonNull(untrustedImpl.acc)
|
|
||||||
);
|
|
||||||
} catch (PrivilegedActionException e) {
|
|
||||||
Exception ee = e.getException();
|
|
||||||
if (ee instanceof InstantiationException) {
|
|
||||||
throw new SecurityException
|
|
||||||
("Configuration error:" +
|
|
||||||
ee.getCause().getMessage() +
|
|
||||||
"\n", ee.getCause());
|
|
||||||
} else {
|
|
||||||
throw new SecurityException
|
|
||||||
("Configuration error: " +
|
|
||||||
ee.toString() +
|
|
||||||
"\n", ee);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return configuration;
|
return configuration;
|
||||||
@ -291,10 +237,6 @@ public abstract class Configuration {
|
|||||||
* @see #getConfiguration
|
* @see #getConfiguration
|
||||||
*/
|
*/
|
||||||
public static void setConfiguration(Configuration configuration) {
|
public static void setConfiguration(Configuration configuration) {
|
||||||
@SuppressWarnings("removal")
|
|
||||||
SecurityManager sm = System.getSecurityManager();
|
|
||||||
if (sm != null)
|
|
||||||
sm.checkPermission(new AuthPermission("setLoginConfiguration"));
|
|
||||||
Configuration.configuration = configuration;
|
Configuration.configuration = configuration;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -346,7 +288,6 @@ public abstract class Configuration {
|
|||||||
throws NoSuchAlgorithmException {
|
throws NoSuchAlgorithmException {
|
||||||
|
|
||||||
Objects.requireNonNull(type, "null type name");
|
Objects.requireNonNull(type, "null type name");
|
||||||
checkPermission(type);
|
|
||||||
try {
|
try {
|
||||||
GetInstance.Instance instance = GetInstance.getInstance
|
GetInstance.Instance instance = GetInstance.getInstance
|
||||||
("Configuration",
|
("Configuration",
|
||||||
@ -412,7 +353,6 @@ public abstract class Configuration {
|
|||||||
throw new IllegalArgumentException("missing provider");
|
throw new IllegalArgumentException("missing provider");
|
||||||
}
|
}
|
||||||
|
|
||||||
checkPermission(type);
|
|
||||||
try {
|
try {
|
||||||
GetInstance.Instance instance = GetInstance.getInstance
|
GetInstance.Instance instance = GetInstance.getInstance
|
||||||
("Configuration",
|
("Configuration",
|
||||||
@ -473,7 +413,6 @@ public abstract class Configuration {
|
|||||||
throw new IllegalArgumentException("missing provider");
|
throw new IllegalArgumentException("missing provider");
|
||||||
}
|
}
|
||||||
|
|
||||||
checkPermission(type);
|
|
||||||
try {
|
try {
|
||||||
GetInstance.Instance instance = GetInstance.getInstance
|
GetInstance.Instance instance = GetInstance.getInstance
|
||||||
("Configuration",
|
("Configuration",
|
||||||
|
@ -25,16 +25,13 @@
|
|||||||
|
|
||||||
package javax.security.auth.login;
|
package javax.security.auth.login;
|
||||||
|
|
||||||
import java.security.AccessController;
|
|
||||||
import java.security.PrivilegedAction;
|
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
|
import java.security.Security;
|
||||||
import java.text.MessageFormat;
|
import java.text.MessageFormat;
|
||||||
import javax.security.auth.Subject;
|
import javax.security.auth.Subject;
|
||||||
import javax.security.auth.AuthPermission;
|
|
||||||
import javax.security.auth.callback.*;
|
import javax.security.auth.callback.*;
|
||||||
import javax.security.auth.spi.LoginModule;
|
import javax.security.auth.spi.LoginModule;
|
||||||
import java.security.AccessControlContext;
|
|
||||||
import java.util.ServiceLoader;
|
import java.util.ServiceLoader;
|
||||||
|
|
||||||
import sun.security.util.PendingException;
|
import sun.security.util.PendingException;
|
||||||
@ -182,8 +179,6 @@ public class LoginContext {
|
|||||||
private final Map<String,?> state = new HashMap<>();
|
private final Map<String,?> state = new HashMap<>();
|
||||||
|
|
||||||
private Configuration config;
|
private Configuration config;
|
||||||
@SuppressWarnings("removal")
|
|
||||||
private AccessControlContext creatorAcc = null; // customized config only
|
|
||||||
private ModuleInfo[] moduleStack;
|
private ModuleInfo[] moduleStack;
|
||||||
private ClassLoader contextClassLoader = null;
|
private ClassLoader contextClassLoader = null;
|
||||||
|
|
||||||
@ -200,38 +195,21 @@ public class LoginContext {
|
|||||||
private static final WeakHashMap<ClassLoader, Set<Provider<LoginModule>>> providersCache =
|
private static final WeakHashMap<ClassLoader, Set<Provider<LoginModule>>> providersCache =
|
||||||
new WeakHashMap<>();
|
new WeakHashMap<>();
|
||||||
|
|
||||||
@SuppressWarnings("removal")
|
|
||||||
private void init(String name) throws LoginException {
|
private void init(String name) throws LoginException {
|
||||||
|
|
||||||
SecurityManager sm = System.getSecurityManager();
|
|
||||||
if (sm != null && creatorAcc == null) {
|
|
||||||
sm.checkPermission(new AuthPermission
|
|
||||||
("createLoginContext." + name));
|
|
||||||
}
|
|
||||||
|
|
||||||
if (name == null)
|
if (name == null)
|
||||||
throw new LoginException
|
throw new LoginException
|
||||||
(ResourcesMgr.getString("Invalid.null.input.name"));
|
(ResourcesMgr.getString("Invalid.null.input.name"));
|
||||||
|
|
||||||
// get the Configuration
|
// get the Configuration
|
||||||
if (config == null) {
|
if (config == null) {
|
||||||
config = java.security.AccessController.doPrivileged
|
config = Configuration.getConfiguration();
|
||||||
(new java.security.PrivilegedAction<Configuration>() {
|
|
||||||
public Configuration run() {
|
|
||||||
return Configuration.getConfiguration();
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// get the LoginModules configured for this application
|
// get the LoginModules configured for this application
|
||||||
AppConfigurationEntry[] entries = config.getAppConfigurationEntry(name);
|
AppConfigurationEntry[] entries = config.getAppConfigurationEntry(name);
|
||||||
if (entries == null) {
|
if (entries == null) {
|
||||||
|
|
||||||
if (sm != null && creatorAcc == null) {
|
|
||||||
sm.checkPermission(new AuthPermission
|
|
||||||
("createLoginContext." + OTHER));
|
|
||||||
}
|
|
||||||
|
|
||||||
entries = config.getAppConfigurationEntry(OTHER);
|
entries = config.getAppConfigurationEntry(OTHER);
|
||||||
if (entries == null) {
|
if (entries == null) {
|
||||||
MessageFormat form = new MessageFormat(ResourcesMgr.getString
|
MessageFormat form = new MessageFormat(ResourcesMgr.getString
|
||||||
@ -251,55 +229,30 @@ public class LoginContext {
|
|||||||
null);
|
null);
|
||||||
}
|
}
|
||||||
|
|
||||||
contextClassLoader = java.security.AccessController.doPrivileged
|
ClassLoader loader = Thread.currentThread().getContextClassLoader();
|
||||||
(new java.security.PrivilegedAction<ClassLoader>() {
|
if (loader == null) {
|
||||||
public ClassLoader run() {
|
loader = ClassLoader.getSystemClassLoader();
|
||||||
ClassLoader loader =
|
}
|
||||||
Thread.currentThread().getContextClassLoader();
|
contextClassLoader = loader;
|
||||||
if (loader == null) {
|
|
||||||
// Don't use bootstrap class loader directly to ensure
|
|
||||||
// proper package access control!
|
|
||||||
loader = ClassLoader.getSystemClassLoader();
|
|
||||||
}
|
|
||||||
|
|
||||||
return loader;
|
|
||||||
}
|
|
||||||
});
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("removal")
|
@SuppressWarnings("deprecation")
|
||||||
private void loadDefaultCallbackHandler() throws LoginException {
|
private void loadDefaultCallbackHandler() throws LoginException {
|
||||||
|
|
||||||
// get the default handler class
|
// get the default handler class
|
||||||
try {
|
try {
|
||||||
|
String defaultHandler = Security.getProperty(DEFAULT_HANDLER);
|
||||||
final ClassLoader finalLoader = contextClassLoader;
|
if (defaultHandler == null || defaultHandler.isEmpty()) {
|
||||||
|
this.callbackHandler = null;
|
||||||
this.callbackHandler = java.security.AccessController.doPrivileged(
|
} else {
|
||||||
new java.security.PrivilegedExceptionAction<CallbackHandler>() {
|
Class<? extends CallbackHandler> c = Class.forName(
|
||||||
public CallbackHandler run() throws Exception {
|
defaultHandler, true,
|
||||||
String defaultHandler = java.security.Security.getProperty
|
contextClassLoader).asSubclass(CallbackHandler.class);
|
||||||
(DEFAULT_HANDLER);
|
this.callbackHandler = (CallbackHandler) c.newInstance();
|
||||||
if (defaultHandler == null || defaultHandler.isEmpty())
|
}
|
||||||
return null;
|
} catch (ReflectiveOperationException e) {
|
||||||
Class<? extends CallbackHandler> c = Class.forName(
|
throw new LoginException(e.toString());
|
||||||
defaultHandler, true,
|
|
||||||
finalLoader).asSubclass(CallbackHandler.class);
|
|
||||||
@SuppressWarnings("deprecation")
|
|
||||||
CallbackHandler result = c.newInstance();
|
|
||||||
return result;
|
|
||||||
}
|
|
||||||
});
|
|
||||||
} catch (java.security.PrivilegedActionException pae) {
|
|
||||||
throw new LoginException(pae.getException().toString());
|
|
||||||
}
|
|
||||||
|
|
||||||
// secure it with the caller's ACC
|
|
||||||
if (this.callbackHandler != null && creatorAcc == null) {
|
|
||||||
this.callbackHandler = new SecureCallbackHandler
|
|
||||||
(java.security.AccessController.getContext(),
|
|
||||||
this.callbackHandler);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -367,16 +320,13 @@ public class LoginContext {
|
|||||||
* for "{@code other}", or if the caller-specified
|
* for "{@code other}", or if the caller-specified
|
||||||
* {@code callbackHandler} is {@code null}.
|
* {@code callbackHandler} is {@code null}.
|
||||||
*/
|
*/
|
||||||
@SuppressWarnings("removal")
|
|
||||||
public LoginContext(String name, CallbackHandler callbackHandler)
|
public LoginContext(String name, CallbackHandler callbackHandler)
|
||||||
throws LoginException {
|
throws LoginException {
|
||||||
init(name);
|
init(name);
|
||||||
if (callbackHandler == null)
|
if (callbackHandler == null)
|
||||||
throw new LoginException(ResourcesMgr.getString
|
throw new LoginException(ResourcesMgr.getString
|
||||||
("invalid.null.CallbackHandler.provided"));
|
("invalid.null.CallbackHandler.provided"));
|
||||||
this.callbackHandler = new SecureCallbackHandler
|
this.callbackHandler = callbackHandler;
|
||||||
(java.security.AccessController.getContext(),
|
|
||||||
callbackHandler);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -400,16 +350,13 @@ public class LoginContext {
|
|||||||
* or if the caller-specified
|
* or if the caller-specified
|
||||||
* {@code callbackHandler} is {@code null}.
|
* {@code callbackHandler} is {@code null}.
|
||||||
*/
|
*/
|
||||||
@SuppressWarnings("removal")
|
|
||||||
public LoginContext(String name, Subject subject,
|
public LoginContext(String name, Subject subject,
|
||||||
CallbackHandler callbackHandler) throws LoginException {
|
CallbackHandler callbackHandler) throws LoginException {
|
||||||
this(name, subject);
|
this(name, subject);
|
||||||
if (callbackHandler == null)
|
if (callbackHandler == null)
|
||||||
throw new LoginException(ResourcesMgr.getString
|
throw new LoginException(ResourcesMgr.getString
|
||||||
("invalid.null.CallbackHandler.provided"));
|
("invalid.null.CallbackHandler.provided"));
|
||||||
this.callbackHandler = new SecureCallbackHandler
|
this.callbackHandler = callbackHandler;
|
||||||
(java.security.AccessController.getContext(),
|
|
||||||
callbackHandler);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -437,14 +384,10 @@ public class LoginContext {
|
|||||||
*
|
*
|
||||||
* @since 1.5
|
* @since 1.5
|
||||||
*/
|
*/
|
||||||
@SuppressWarnings("removal")
|
|
||||||
public LoginContext(String name, Subject subject,
|
public LoginContext(String name, Subject subject,
|
||||||
CallbackHandler callbackHandler,
|
CallbackHandler callbackHandler,
|
||||||
Configuration config) throws LoginException {
|
Configuration config) throws LoginException {
|
||||||
this.config = config;
|
this.config = config;
|
||||||
if (config != null) {
|
|
||||||
creatorAcc = java.security.AccessController.getContext();
|
|
||||||
}
|
|
||||||
|
|
||||||
init(name);
|
init(name);
|
||||||
if (subject != null) {
|
if (subject != null) {
|
||||||
@ -453,10 +396,6 @@ public class LoginContext {
|
|||||||
}
|
}
|
||||||
if (callbackHandler == null) {
|
if (callbackHandler == null) {
|
||||||
loadDefaultCallbackHandler();
|
loadDefaultCallbackHandler();
|
||||||
} else if (creatorAcc == null) {
|
|
||||||
this.callbackHandler = new SecureCallbackHandler
|
|
||||||
(java.security.AccessController.getContext(),
|
|
||||||
callbackHandler);
|
|
||||||
} else {
|
} else {
|
||||||
this.callbackHandler = callbackHandler;
|
this.callbackHandler = callbackHandler;
|
||||||
}
|
}
|
||||||
@ -518,13 +457,12 @@ public class LoginContext {
|
|||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
// module invoked in doPrivileged
|
invoke(LOGIN_METHOD);
|
||||||
invokePriv(LOGIN_METHOD);
|
invoke(COMMIT_METHOD);
|
||||||
invokePriv(COMMIT_METHOD);
|
|
||||||
loginSucceeded = true;
|
loginSucceeded = true;
|
||||||
} catch (LoginException le) {
|
} catch (LoginException le) {
|
||||||
try {
|
try {
|
||||||
invokePriv(ABORT_METHOD);
|
invoke(ABORT_METHOD);
|
||||||
} catch (LoginException le2) {
|
} catch (LoginException le2) {
|
||||||
throw le;
|
throw le;
|
||||||
}
|
}
|
||||||
@ -557,8 +495,7 @@ public class LoginContext {
|
|||||||
("null.subject.logout.called.before.login"));
|
("null.subject.logout.called.before.login"));
|
||||||
}
|
}
|
||||||
|
|
||||||
// module invoked in doPrivileged
|
invoke(LOGOUT_METHOD);
|
||||||
invokePriv(LOGOUT_METHOD);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -597,28 +534,8 @@ public class LoginContext {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Invokes the login, commit, and logout methods
|
* Invokes the login, commit, and logout methods from a LoginModule.
|
||||||
* from a LoginModule inside a doPrivileged block restricted
|
|
||||||
* by creatorAcc (may be null).
|
|
||||||
*
|
|
||||||
* This version is called if the caller did not instantiate
|
|
||||||
* the LoginContext with a Configuration object.
|
|
||||||
*/
|
*/
|
||||||
@SuppressWarnings("removal")
|
|
||||||
private void invokePriv(final String methodName) throws LoginException {
|
|
||||||
try {
|
|
||||||
java.security.AccessController.doPrivileged
|
|
||||||
(new java.security.PrivilegedExceptionAction<Void>() {
|
|
||||||
public Void run() throws LoginException {
|
|
||||||
invoke(methodName);
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}, creatorAcc);
|
|
||||||
} catch (java.security.PrivilegedActionException pae) {
|
|
||||||
throw (LoginException)pae.getException();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
private void invoke(String methodName) throws LoginException {
|
private void invoke(String methodName) throws LoginException {
|
||||||
|
|
||||||
// start at moduleIndex
|
// start at moduleIndex
|
||||||
@ -639,11 +556,8 @@ public class LoginContext {
|
|||||||
if (debug != null){
|
if (debug != null){
|
||||||
debug.println("Build ServiceProviders cache for ClassLoader: " + contextClassLoader.getName());
|
debug.println("Build ServiceProviders cache for ClassLoader: " + contextClassLoader.getName());
|
||||||
}
|
}
|
||||||
@SuppressWarnings("removal")
|
ServiceLoader<LoginModule> sc = ServiceLoader.load(
|
||||||
ServiceLoader<LoginModule> sc = AccessController.doPrivileged(
|
LoginModule.class, contextClassLoader);
|
||||||
(PrivilegedAction<ServiceLoader<LoginModule>>)
|
|
||||||
() -> java.util.ServiceLoader.load(
|
|
||||||
LoginModule.class, contextClassLoader));
|
|
||||||
lmProviders = sc.stream().collect(Collectors.toSet());
|
lmProviders = sc.stream().collect(Collectors.toSet());
|
||||||
if (debug != null){
|
if (debug != null){
|
||||||
debug.println("Discovered ServiceProviders for ClassLoader: " + contextClassLoader.getName());
|
debug.println("Discovered ServiceProviders for ClassLoader: " + contextClassLoader.getName());
|
||||||
@ -841,45 +755,6 @@ public class LoginContext {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Wrap the caller-specified CallbackHandler in our own
|
|
||||||
* and invoke it within a privileged block, constrained by
|
|
||||||
* the caller's AccessControlContext.
|
|
||||||
*/
|
|
||||||
private static class SecureCallbackHandler implements CallbackHandler {
|
|
||||||
|
|
||||||
@SuppressWarnings("removal")
|
|
||||||
private final java.security.AccessControlContext acc;
|
|
||||||
private final CallbackHandler ch;
|
|
||||||
|
|
||||||
SecureCallbackHandler(@SuppressWarnings("removal") java.security.AccessControlContext acc,
|
|
||||||
CallbackHandler ch) {
|
|
||||||
this.acc = acc;
|
|
||||||
this.ch = ch;
|
|
||||||
}
|
|
||||||
|
|
||||||
@SuppressWarnings("removal")
|
|
||||||
public void handle(final Callback[] callbacks)
|
|
||||||
throws java.io.IOException, UnsupportedCallbackException {
|
|
||||||
try {
|
|
||||||
java.security.AccessController.doPrivileged
|
|
||||||
(new java.security.PrivilegedExceptionAction<Void>() {
|
|
||||||
public Void run() throws java.io.IOException,
|
|
||||||
UnsupportedCallbackException {
|
|
||||||
ch.handle(callbacks);
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}, acc);
|
|
||||||
} catch (java.security.PrivilegedActionException pae) {
|
|
||||||
if (pae.getException() instanceof java.io.IOException) {
|
|
||||||
throw (java.io.IOException)pae.getException();
|
|
||||||
} else {
|
|
||||||
throw (UnsupportedCallbackException)pae.getException();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* LoginModule information -
|
* LoginModule information -
|
||||||
* encapsulates Configuration info and actual module instances
|
* encapsulates Configuration info and actual module instances
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
|
* Copyright (c) 1997, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -30,9 +30,7 @@ import java.io.InputStream;
|
|||||||
import java.lang.reflect.Constructor;
|
import java.lang.reflect.Constructor;
|
||||||
import java.lang.reflect.InvocationTargetException;
|
import java.lang.reflect.InvocationTargetException;
|
||||||
import java.math.BigInteger;
|
import java.math.BigInteger;
|
||||||
import java.security.AccessController;
|
|
||||||
import java.security.Principal;
|
import java.security.Principal;
|
||||||
import java.security.PrivilegedAction;
|
|
||||||
import java.security.Security;
|
import java.security.Security;
|
||||||
import java.util.Date;
|
import java.util.Date;
|
||||||
|
|
||||||
@ -140,17 +138,7 @@ public abstract class X509Certificate extends Certificate {
|
|||||||
* </pre>
|
* </pre>
|
||||||
*/
|
*/
|
||||||
private static final String X509_PROVIDER = "cert.provider.x509v1";
|
private static final String X509_PROVIDER = "cert.provider.x509v1";
|
||||||
private static String X509Provider;
|
private static String X509Provider = Security.getProperty(X509_PROVIDER);
|
||||||
|
|
||||||
static {
|
|
||||||
X509Provider = AccessController.doPrivileged(
|
|
||||||
new PrivilegedAction<>() {
|
|
||||||
public String run() {
|
|
||||||
return Security.getProperty(X509_PROVIDER);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Instantiates an X509Certificate object, and initializes it with
|
* Instantiates an X509Certificate object, and initializes it with
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved.
|
* Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -21,7 +21,7 @@
|
|||||||
* questions.
|
* questions.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import java.security.*;
|
import java.security.URIParameter;
|
||||||
import javax.security.auth.login.*;
|
import javax.security.auth.login.*;
|
||||||
import com.sun.security.auth.login.*;
|
import com.sun.security.auth.login.*;
|
||||||
|
|
||||||
@ -31,16 +31,11 @@ public class GetInstanceConfigSpi extends ConfigurationSpi {
|
|||||||
|
|
||||||
public GetInstanceConfigSpi(final Configuration.Parameters params) {
|
public GetInstanceConfigSpi(final Configuration.Parameters params) {
|
||||||
|
|
||||||
c = AccessController.doPrivileged
|
if (params instanceof URIParameter uriParam) {
|
||||||
(new PrivilegedAction<Configuration>() {
|
c = new ConfigFile(uriParam.getURI());
|
||||||
public Configuration run() {
|
} else {
|
||||||
if (params instanceof URIParameter) {
|
c = new ConfigFile();
|
||||||
URIParameter uriParam = (URIParameter)params;
|
}
|
||||||
return new ConfigFile(uriParam.getURI());
|
|
||||||
}
|
|
||||||
return new ConfigFile();
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public AppConfigurationEntry[] engineGetAppConfigurationEntry(String name) {
|
public AppConfigurationEntry[] engineGetAppConfigurationEntry(String name) {
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
|
* Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -21,7 +21,7 @@
|
|||||||
* questions.
|
* questions.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import java.security.*;
|
import java.security.Provider;
|
||||||
|
|
||||||
public class GetInstanceProvider extends Provider {
|
public class GetInstanceProvider extends Provider {
|
||||||
|
|
||||||
@ -30,12 +30,6 @@ public class GetInstanceProvider extends Provider {
|
|||||||
"1",
|
"1",
|
||||||
"GetInstanceProvider: Configuration.GetInstanceConfigSpi");
|
"GetInstanceProvider: Configuration.GetInstanceConfigSpi");
|
||||||
|
|
||||||
AccessController.doPrivileged(new PrivilegedAction() {
|
put("Configuration.GetInstanceConfigSpi", "GetInstanceConfigSpi");
|
||||||
public Object run() {
|
|
||||||
put("Configuration.GetInstanceConfigSpi",
|
|
||||||
"GetInstanceConfigSpi");
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -31,12 +31,6 @@
|
|||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/**
|
|
||||||
* This test shares the login config with ConfigConstructorNoPerm.
|
|
||||||
* This test has all necessary permissions configured in the policy
|
|
||||||
* (ConfigConstructorNoPerm has no perms and checks for SecurityExceptions).
|
|
||||||
*/
|
|
||||||
|
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import javax.security.auth.Subject;
|
import javax.security.auth.Subject;
|
||||||
import javax.security.auth.login.AppConfigurationEntry;
|
import javax.security.auth.login.AppConfigurationEntry;
|
||||||
@ -209,8 +203,7 @@ public class ConfigConstructor {
|
|||||||
public void initialize(Subject s, CallbackHandler ch,
|
public void initialize(Subject s, CallbackHandler ch,
|
||||||
Map<String,?> state, Map<String,?> options) {
|
Map<String,?> state, Map<String,?> options) {
|
||||||
if (s != ConfigConstructor.s ||
|
if (s != ConfigConstructor.s ||
|
||||||
ch == null ||
|
ch == null) {
|
||||||
ch == ConfigConstructor.ch) {
|
|
||||||
throw new SecurityException("Module 3 failed");
|
throw new SecurityException("Module 3 failed");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
|
* Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -287,15 +287,9 @@ public class LCTest {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
userPrincipal = new UnixPrincipal(username);
|
userPrincipal = new UnixPrincipal(username);
|
||||||
final Subject s = subject;
|
if (!subject.getPrincipals().contains(userPrincipal)) {
|
||||||
final UnixPrincipal up = userPrincipal;
|
subject.getPrincipals().add(userPrincipal);
|
||||||
java.security.AccessController.doPrivileged
|
}
|
||||||
((java.security.PrivilegedAction) () -> {
|
|
||||||
if (!s.getPrincipals().contains(up)) {
|
|
||||||
s.getPrincipals().add(up);
|
|
||||||
}
|
|
||||||
return null;
|
|
||||||
});
|
|
||||||
password = null;
|
password = null;
|
||||||
commitSucceeded = true;
|
commitSucceeded = true;
|
||||||
return true;
|
return true;
|
||||||
@ -320,13 +314,7 @@ public class LCTest {
|
|||||||
|
|
||||||
private void clearState() {
|
private void clearState() {
|
||||||
if (commitSucceeded) {
|
if (commitSucceeded) {
|
||||||
final Subject s = subject;
|
subject.getPrincipals().remove(userPrincipal);
|
||||||
final UnixPrincipal up = userPrincipal;
|
|
||||||
java.security.AccessController.doPrivileged
|
|
||||||
((java.security.PrivilegedAction) () -> {
|
|
||||||
s.getPrincipals().remove(up);
|
|
||||||
return null;
|
|
||||||
});
|
|
||||||
}
|
}
|
||||||
username = null;
|
username = null;
|
||||||
password = null;
|
password = null;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user