< prev index next >
src/java.base/share/classes/javax/security/auth/SubjectDomainCombiner.java
Print this page
rev 48948 : 8191139: Remove deprecated javax.security.auth.Policy API
*** 1,7 ****
/*
! * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
--- 1,7 ----
/*
! * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
*** 24,40 ****
*/
package javax.security.auth;
import java.security.AccessController;
- import java.security.Permission;
- import java.security.Permissions;
- import java.security.PermissionCollection;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.ProtectionDomain;
- import java.security.Security;
import java.util.Set;
import java.util.WeakHashMap;
import java.lang.ref.WeakReference;
/**
--- 24,36 ----
*** 54,72 ****
private static final sun.security.util.Debug debug =
sun.security.util.Debug.getInstance("combiner",
"\t[SubjectDomainCombiner]");
- @SuppressWarnings({"deprecation", "removal"})
- // Note: check only at classloading time, not dynamically during combine()
- private static final boolean useJavaxPolicy =
- javax.security.auth.Policy.isCustomPolicySet(debug);
-
- // Relevant only when useJavaxPolicy is true
- private static final boolean allowCaching =
- (useJavaxPolicy && cachePolicy());
-
/**
* Associate the provided {@code Subject} with this
* {@code SubjectDomainCombiner}.
*
* @param subject the {@code Subject} to be associated with
--- 50,59 ----
*** 194,209 ****
if (currentDomains == null && assignedDomains == null) {
return null;
}
- // maintain backwards compatibility for developers who provide
- // their own custom javax.security.auth.Policy implementations
- if (useJavaxPolicy) {
- return combineJavaxPolicy(currentDomains, assignedDomains);
- }
-
int cLen = (currentDomains == null ? 0 : currentDomains.length);
int aLen = (assignedDomains == null ? 0 : assignedDomains.length);
// the ProtectionDomains for the new AccessControlContext
// that we will return
--- 181,190 ----
*** 290,444 ****
} else {
return newDomains;
}
}
- /**
- * Use the javax.security.auth.Policy implementation
- */
- private ProtectionDomain[] combineJavaxPolicy(
- ProtectionDomain[] currentDomains,
- ProtectionDomain[] assignedDomains) {
-
- if (!allowCaching) {
- java.security.AccessController.doPrivileged
- (new PrivilegedAction<Void>() {
- @SuppressWarnings({"deprecation", "removal"})
- public Void run() {
- // Call refresh only caching is disallowed
- javax.security.auth.Policy.getPolicy().refresh();
- return null;
- }
- });
- }
-
-
- int cLen = (currentDomains == null ? 0 : currentDomains.length);
- int aLen = (assignedDomains == null ? 0 : assignedDomains.length);
-
- // the ProtectionDomains for the new AccessControlContext
- // that we will return
- ProtectionDomain[] newDomains = new ProtectionDomain[cLen + aLen];
-
- synchronized(cachedPDs) {
- if (!subject.isReadOnly() &&
- !subject.getPrincipals().equals(principalSet)) {
-
- // if the Subject was mutated, clear the PD cache
- Set<Principal> newSet = subject.getPrincipals();
- synchronized(newSet) {
- principalSet = new java.util.HashSet<Principal>(newSet);
- }
- principals = principalSet.toArray
- (new Principal[principalSet.size()]);
- cachedPDs.clear();
-
- if (debug != null) {
- debug.println("Subject mutated - clearing cache");
- }
- }
-
- for (int i = 0; i < cLen; i++) {
- ProtectionDomain pd = currentDomains[i];
- ProtectionDomain subjectPd = cachedPDs.getValue(pd);
-
- if (subjectPd == null) {
- if (pd.staticPermissionsOnly()) {
- // keep static ProtectionDomain objects static
- subjectPd = pd;
- } else {
- // XXX
- // we must first add the original permissions.
- // that way when we later add the new JAAS permissions,
- // any unresolved JAAS-related permissions will
- // automatically get resolved.
-
- // get the original perms
- Permissions perms = new Permissions();
- PermissionCollection coll = pd.getPermissions();
- java.util.Enumeration<Permission> e;
- if (coll != null) {
- synchronized (coll) {
- e = coll.elements();
- while (e.hasMoreElements()) {
- Permission newPerm =
- e.nextElement();
- perms.add(newPerm);
- }
- }
- }
-
- // get perms from the policy
- final java.security.CodeSource finalCs = pd.getCodeSource();
- final Subject finalS = subject;
- PermissionCollection newPerms =
- java.security.AccessController.doPrivileged
- (new PrivilegedAction<PermissionCollection>() {
- @SuppressWarnings({"deprecation", "removal"})
- public PermissionCollection run() {
- return
- javax.security.auth.Policy.getPolicy().getPermissions
- (finalS, finalCs);
- }
- });
-
- // add the newly granted perms,
- // avoiding duplicates
- synchronized (newPerms) {
- e = newPerms.elements();
- while (e.hasMoreElements()) {
- Permission newPerm = e.nextElement();
- if (!perms.implies(newPerm)) {
- perms.add(newPerm);
- if (debug != null)
- debug.println (
- "Adding perm " + newPerm + "\n");
- }
- }
- }
- subjectPd = new ProtectionDomain
- (finalCs, perms, pd.getClassLoader(), principals);
- }
- if (allowCaching)
- cachedPDs.putValue(pd, subjectPd);
- }
- newDomains[i] = subjectPd;
- }
- }
-
- if (debug != null) {
- debug.println("updated current: ");
- for (int i = 0; i < cLen; i++) {
- debug.println("\tupdated[" + i + "] = " + newDomains[i]);
- }
- }
-
- // now add on the assigned domains
- if (aLen > 0) {
- System.arraycopy(assignedDomains, 0, newDomains, cLen, aLen);
- }
-
- if (debug != null) {
- if (newDomains == null || newDomains.length == 0) {
- debug.println("returning null");
- } else {
- debug.println("combinedDomains: ");
- for (int i = 0; i < newDomains.length; i++) {
- debug.println("newDomain " + i + ": " +
- newDomains[i].toString());
- }
- }
- }
-
- // return the new ProtectionDomains
- if (newDomains == null || newDomains.length == 0) {
- return null;
- } else {
- return newDomains;
- }
- }
-
private static ProtectionDomain[] optimize(ProtectionDomain[] domains) {
if (domains == null || domains.length == 0)
return null;
ProtectionDomain[] optimized = new ProtectionDomain[domains.length];
--- 271,280 ----
*** 474,498 ****
}
return ((num == 0 || optimized.length == 0) ? null : optimized);
}
- private static boolean cachePolicy() {
- String s = AccessController.doPrivileged
- (new PrivilegedAction<String>() {
- public String run() {
- return Security.getProperty("cache.auth.policy");
- }
- });
- if (s != null) {
- return Boolean.parseBoolean(s);
- }
-
- // cache by default
- return true;
- }
-
private static void printInputDomains(ProtectionDomain[] currentDomains,
ProtectionDomain[] assignedDomains) {
if (currentDomains == null || currentDomains.length == 0) {
debug.println("currentDomains null or 0 length");
} else {
--- 310,319 ----
< prev index next >