8030655: Regression: 14_01 Security fix 8024306 causes test failures

Reviewed-by: mullan, xuelei, ahgross
2014-01-15 11:23:07 +08:00 · 2014-01-15 11:23:07 +08:00 · b98404d258
commit b98404d258
parent 4e372752a0
1 changed files with 19 additions and 3 deletions
--- a/jdk/src/share/classes/javax/security/auth/Subject.java
+++ b/jdk/src/share/classes/javax/security/auth/Subject.java
@ -959,14 +959,30 @@ public final class Subject implements java.io.Serializable {
    /**
     * Reads this object from a stream (i.e., deserializes it)
     */
+    @SuppressWarnings("unchecked")
    private void readObject(java.io.ObjectInputStream s)
                throws java.io.IOException, ClassNotFoundException {

-        s.defaultReadObject();
+        ObjectInputStream.GetField gf = s.readFields();
+
+        readOnly = gf.get("readOnly", false);
+
+        Set<Principal> inputPrincs = (Set<Principal>)gf.get("principals", null);

        // Rewrap the principals into a SecureSet
+        if (inputPrincs == null) {
+            throw new NullPointerException
+                (ResourcesMgr.getString("invalid.null.input.s."));
+        }
+        try {
            principals = Collections.synchronizedSet(new SecureSet<Principal>
-                                (this, PRINCIPAL_SET, principals));
+                                (this, PRINCIPAL_SET, inputPrincs));
+        } catch (NullPointerException npe) {
+            // Sometimes people deserialize the principals set only.
+            // Subject is not accessible, so just don't fail.
+            principals = Collections.synchronizedSet
+                        (new SecureSet<Principal>(this, PRINCIPAL_SET));
+        }

        // The Credential {@code Set} is not serialized, but we do not
        // want the default deserialization routine to set it to null.