archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-26 22:34:27 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8338411: Implement JEP 486: Permanently Disable the Security Manager

Browse source 
Co-authored-by: Sean Mullan <mullan@openjdk.org>
Co-authored-by: Alan Bateman <alanb@openjdk.org>
Co-authored-by: Weijun Wang <weijun@openjdk.org>
Co-authored-by: Aleksei Efimov <aefimov@openjdk.org>
Co-authored-by: Brian Burkhalter <bpb@openjdk.org>
Co-authored-by: Daniel Fuchs <dfuchs@openjdk.org>
Co-authored-by: Harshitha Onkar <honkar@openjdk.org>
Co-authored-by: Joe Wang <joehw@openjdk.org>
Co-authored-by: Jorn Vernee <jvernee@openjdk.org>
Co-authored-by: Justin Lu <jlu@openjdk.org>
Co-authored-by: Kevin Walls <kevinw@openjdk.org>
Co-authored-by: Lance Andersen <lancea@openjdk.org>
Co-authored-by: Naoto Sato <naoto@openjdk.org>
Co-authored-by: Roger Riggs <rriggs@openjdk.org>
Co-authored-by: Brent Christian <bchristi@openjdk.org>
Co-authored-by: Stuart Marks <smarks@openjdk.org>
Co-authored-by: Ian Graves <igraves@openjdk.org>
Co-authored-by: Phil Race <prr@openjdk.org>
Co-authored-by: Erik Gahlin <egahlin@openjdk.org>
Co-authored-by: Jaikiran Pai <jpai@openjdk.org>
Reviewed-by: kevinw, aivanov, rriggs, lancea, coffeys, dfuchs, ihse, erikj, cjplummer, coleenp, naoto, mchung, prr, weijun, joehw, azvegint, psadhukhan, bchristi, sundar, attila
This commit is contained in:
Sean Mullan 2024-11-12 17:16:15 +00:00
parent c12b386d19
commit db85090553
1885 changed files with 5528 additions and 65650 deletions
Download patch file Download diff file Expand all files Collapse all files

26
src/java.base/share/classes/javax/net/ServerSocketFactory.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -103,21 +103,13 @@ public abstract class ServerSocketFactory
* Returns a server socket bound to the specified port.
* The socket is configured with the socket options
* (such as accept timeout) given to this factory.
* <P>
* If there is a security manager, its <code>checkListen</code>
* method is called with the <code>port</code> argument as its
* argument to ensure the operation is allowed. This could result
* in a SecurityException.
*
* @param port the port to listen to
* @return the <code>ServerSocket</code>
* @throws IOException for networking errors
* @throws SecurityException if a security manager exists and its
* <code>checkListen</code> method doesn't allow the operation.
* @throws IllegalArgumentException if the port parameter is outside the
* specified range of valid port values, which is between 0 and
* 65535, inclusive.
* @see SecurityManager#checkListen
* @see java.net.ServerSocket#ServerSocket(int)
*/
public abstract ServerSocket createServerSocket(int port)
@ -132,22 +124,14 @@ public abstract class ServerSocketFactory
* The <code>backlog</code> argument must be a positive
* value greater than 0. If the value passed if equal or less
* than 0, then the default value will be assumed.
* <P>
* If there is a security manager, its <code>checkListen</code>
* method is called with the <code>port</code> argument as its
* argument to ensure the operation is allowed. This could result
* in a SecurityException.
*
* @param port the port to listen to
* @param backlog how many connections are queued
* @return the <code>ServerSocket</code>
* @throws IOException for networking errors
* @throws SecurityException if a security manager exists and its
* <code>checkListen</code> method doesn't allow the operation.
* @throws IllegalArgumentException if the port parameter is outside the
* specified range of valid port values, which is between 0 and
* 65535, inclusive.
* @see SecurityManager#checkListen
* @see java.net.ServerSocket#ServerSocket(int, int)
*/
public abstract ServerSocket
@ -169,23 +153,15 @@ public abstract class ServerSocketFactory
* The <code>backlog</code> argument must be a positive
* value greater than 0. If the value passed if equal or less
* than 0, then the default value will be assumed.
* <P>
* If there is a security manager, its <code>checkListen</code>
* method is called with the <code>port</code> argument as its
* argument to ensure the operation is allowed. This could result
* in a SecurityException.
*
* @param port the port to listen to
* @param backlog how many connections are queued
* @param ifAddress the network interface address to use
* @return the <code>ServerSocket</code>
* @throws IOException for networking errors
* @throws SecurityException if a security manager exists and its
* <code>checkListen</code> method doesn't allow the operation.
* @throws IllegalArgumentException if the port parameter is outside the
* specified range of valid port values, which is between 0 and
* 65535, inclusive.
* @see SecurityManager#checkListen
* @see java.net.ServerSocket#ServerSocket(int, int, java.net.InetAddress)
*/
public abstract ServerSocket

28
src/java.base/share/classes/javax/net/SocketFactory.java
View file

@ -129,23 +129,16 @@ public abstract class SocketFactory
* Creates a socket and connects it to the specified remote host
* at the specified remote port. This socket is configured using
* the socket options established for this factory.
* <p>
* If there is a security manager, its <code>checkConnect</code>
* method is called with the host address and <code>port</code>
* as its arguments. This could result in a SecurityException.
*
* @param host the server host name with which to connect, or
* <code>null</code> for the loopback address.
* @param port the server port
* @return the <code>Socket</code>
* @throws IOException if an I/O error occurs when creating the socket
* @throws SecurityException if a security manager exists and its
* <code>checkConnect</code> method doesn't allow the operation.
* @throws UnknownHostException if the host is not known
* @throws IllegalArgumentException if the port parameter is outside the
* specified range of valid port values, which is between 0 and
* 65535, inclusive.
* @see SecurityManager#checkConnect
* @see java.net.Socket#Socket(String, int)
*/
public abstract Socket createSocket(String host, int port)
@ -158,10 +151,6 @@ public abstract class SocketFactory
* The socket will also be bound to the local address and port supplied.
* This socket is configured using
* the socket options established for this factory.
* <p>
* If there is a security manager, its <code>checkConnect</code>
* method is called with the host address and <code>port</code>
* as its arguments. This could result in a SecurityException.
*
* @param host the server host name with which to connect, or
* <code>null</code> for the loopback address.
@ -170,13 +159,10 @@ public abstract class SocketFactory
* @param localPort the local port the socket is bound to
* @return the <code>Socket</code>
* @throws IOException if an I/O error occurs when creating the socket
* @throws SecurityException if a security manager exists and its
* <code>checkConnect</code> method doesn't allow the operation.
* @throws UnknownHostException if the host is not known
* @throws IllegalArgumentException if the port parameter or localPort
* parameter is outside the specified range of valid port values,
* which is between 0 and 65535, inclusive.
* @see SecurityManager#checkConnect
* @see java.net.Socket#Socket(String, int, java.net.InetAddress, int)
*/
public abstract Socket
@ -188,22 +174,15 @@ public abstract class SocketFactory
* Creates a socket and connects it to the specified port number
* at the specified address. This socket is configured using
* the socket options established for this factory.
* <p>
* If there is a security manager, its <code>checkConnect</code>
* method is called with the host address and <code>port</code>
* as its arguments. This could result in a SecurityException.
*
* @param host the server host
* @param port the server port
* @return the <code>Socket</code>
* @throws IOException if an I/O error occurs when creating the socket
* @throws SecurityException if a security manager exists and its
* <code>checkConnect</code> method doesn't allow the operation.
* @throws IllegalArgumentException if the port parameter is outside the
* specified range of valid port values, which is between 0 and
* 65535, inclusive.
* @throws NullPointerException if <code>host</code> is null.
* @see SecurityManager#checkConnect
* @see java.net.Socket#Socket(java.net.InetAddress, int)
*/
public abstract Socket createSocket(InetAddress host, int port)
@ -215,10 +194,6 @@ public abstract class SocketFactory
* on the specified remote port. The socket will also be bound
* to the local address and port supplied. The socket is configured using
* the socket options established for this factory.
* <p>
* If there is a security manager, its <code>checkConnect</code>
* method is called with the host address and <code>port</code>
* as its arguments. This could result in a SecurityException.
*
* @param address the server network address
* @param port the server port
@ -226,13 +201,10 @@ public abstract class SocketFactory
* @param localPort the client port
* @return the <code>Socket</code>
* @throws IOException if an I/O error occurs when creating the socket
* @throws SecurityException if a security manager exists and its
* <code>checkConnect</code> method doesn't allow the operation.
* @throws IllegalArgumentException if the port parameter or localPort
* parameter is outside the specified range of valid port values,
* which is between 0 and 65535, inclusive.
* @throws NullPointerException if <code>address</code> is null.
* @see SecurityManager#checkConnect
* @see java.net.Socket#Socket(java.net.InetAddress, int,
* java.net.InetAddress, int)
*/

11
src/java.base/share/classes/javax/net/ssl/HttpsURLConnection.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -219,9 +219,6 @@ public abstract class HttpsURLConnection extends HttpURLConnection {
* @param v the default host name verifier
* @throws IllegalArgumentException if the <code>HostnameVerifier</code>
* parameter is null.
* @throws SecurityException if a security manager exists and its
* <code>checkPermission</code> method does not allow
* <code>SSLPermission("setHostnameVerifier")</code>
* @see #getDefaultHostnameVerifier()
*/
public static void setDefaultHostnameVerifier(HostnameVerifier v) {
@ -301,9 +298,6 @@ public abstract class HttpsURLConnection extends HttpURLConnection {
* @param sf the default SSL socket factory
* @throws IllegalArgumentException if the SSLSocketFactory
* parameter is null.
* @throws SecurityException if a security manager exists and its
* <code>checkSetFactory</code> method does not allow
* a socket factory to be specified.
* @see #getDefaultSSLSocketFactory()
*/
public static void setDefaultSSLSocketFactory(SSLSocketFactory sf) {
@ -351,9 +345,6 @@ public abstract class HttpsURLConnection extends HttpURLConnection {
* @param sf the SSL socket factory
* @throws IllegalArgumentException if the <code>SSLSocketFactory</code>
* parameter is null.
* @throws SecurityException if a security manager exists and its
* <code>checkSetFactory</code> method does not allow
* a socket factory to be specified.
* @see #getSSLSocketFactory()
*/
public void setSSLSocketFactory(SSLSocketFactory sf) {

5
src/java.base/share/classes/javax/net/ssl/SSLContext.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -123,9 +123,6 @@ public class SSLContext {
*
* @param context the SSLContext
* @throws NullPointerException if context is null
* @throws SecurityException if a security manager exists and its
* {@code checkPermission} method does not allow
* {@code SSLPermission("setDefaultSSLContext")}
* @since 1.6
*/
public static void setDefault(SSLContext context) {

56
src/java.base/share/classes/javax/net/ssl/SSLPermission.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -33,62 +33,16 @@ import java.security.*;
* no actions list; you either have the named permission
* or you don't.
* <P>
* The target name is the name of the network permission (see below). The naming
* The target name is the name of the network permission. The naming
* convention follows the hierarchical property naming convention.
* Also, an asterisk
* may appear at the end of the name, following a ".", or by itself, to
* signify a wildcard match. For example: "foo.*" and "*" signify a wildcard
* match, while "*foo" and "a*b" do not.
* <P>
* The following table lists all the possible SSLPermission target names,
* and for each provides a description of what the permission allows
* and a discussion of the risks of granting code the permission.
*
* <table class="striped">
* <caption style="display:none">permission name, what it allows, and associated risks</caption>
* <thead>
* <tr>
* <th scope="col">Permission Target Name</th>
* <th scope="col">What the Permission Allows</th>
* <th scope="col">Risks of Allowing this Permission</th>
* </tr>
* </thead>
*
* <tbody>
* <tr>
* <th scope="row">setHostnameVerifier</th>
* <td>The ability to set a callback which can decide whether to
* allow a mismatch between the host being connected to by
* an HttpsURLConnection and the common name field in
* server certificate.
* </td>
* <td>Malicious
* code can set a verifier that monitors host names visited by
* HttpsURLConnection requests or that allows server certificates
* with invalid common names.
* </td>
* </tr>
*
* <tr>
* <th scope="row">getSSLSessionContext</th>
* <td>The ability to get the SSLSessionContext of an SSLSession.
* </td>
* <td>Malicious code may monitor sessions which have been established
* with SSL peers or might invalidate sessions to slow down performance.
* </td>
* </tr>
*
* <tr>
* <th scope="row">setDefaultSSLContext</th>
* <td>The ability to set the default SSL context
* </td>
* <td>Malicious code can set a context that monitors the opening of
* connections or the plaintext data that is transmitted.
* </td>
* </tr>
*
* </tbody>
* </table>
* @apiNote
* This permission cannot be used for controlling access to resources
* as the Security Manager is no longer supported.
*
* @see java.security.BasicPermission
* @see java.security.Permission

26
src/java.base/share/classes/javax/net/ssl/SSLServerSocket.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -78,20 +78,12 @@ public abstract class SSLServerSocket extends ServerSocket {
* reject new connection requests.
* <P>
* A port number of <code>0</code> creates a socket on any free port.
* <P>
* If there is a security manager, its <code>checkListen</code>
* method is called with the <code>port</code> argument as its
* argument to ensure the operation is allowed. This could result
* in a SecurityException.
*
* @param port the port on which to listen
* @throws IOException if an I/O error occurs when creating the socket
* @throws SecurityException if a security manager exists and its
* <code>checkListen</code> method doesn't allow the operation.
* @throws IllegalArgumentException if the port parameter is outside the
* specified range of valid port values, which is between 0 and
* 65535, inclusive.
* @see SecurityManager#checkListen
*/
protected SSLServerSocket(int port)
throws IOException
@ -112,22 +104,14 @@ public abstract class SSLServerSocket extends ServerSocket {
* or may choose to ignore the parameter altogether. The value provided
* should be greater than <code>0</code>. If it is less than or equal to
* <code>0</code>, then an implementation specific default will be used.
* <P>
* If there is a security manager, its <code>checkListen</code>
* method is called with the <code>port</code> argument as its
* argument to ensure the operation is allowed. This could result
* in a SecurityException.
*
* @param port the port on which to listen
* @param backlog requested maximum length of the queue of incoming
* connections.
* @throws IOException if an I/O error occurs when creating the socket
* @throws SecurityException if a security manager exists and its
* <code>checkListen</code> method doesn't allow the operation.
* @throws IllegalArgumentException if the port parameter is outside the
* specified range of valid port values, which is between 0 and
* 65535, inclusive.
* @see SecurityManager#checkListen
*/
protected SSLServerSocket(int port, int backlog)
throws IOException
@ -144,11 +128,6 @@ public abstract class SSLServerSocket extends ServerSocket {
* for firewalls or as routers, to control through which interface
* a network service is provided.
* <P>
* If there is a security manager, its <code>checkListen</code>
* method is called with the <code>port</code> argument as its
* argument to ensure the operation is allowed. This could result
* in a SecurityException.
* <P>
* A port number of <code>0</code> creates a socket on any free port.
* <P>
* The <code>backlog</code> argument is the requested maximum number of
@ -167,12 +146,9 @@ public abstract class SSLServerSocket extends ServerSocket {
* @param address the address of the network interface through
* which connections will be accepted
* @throws IOException if an I/O error occurs when creating the socket
* @throws SecurityException if a security manager exists and its
* <code>checkListen</code> method doesn't allow the operation.
* @throws IllegalArgumentException if the port parameter is outside the
* specified range of valid port values, which is between 0 and
* 65535, inclusive.
* @see SecurityManager#checkListen
*/
protected SSLServerSocket(int port, int backlog, InetAddress address)
throws IOException

11
src/java.base/share/classes/javax/net/ssl/SSLSession.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -78,16 +78,7 @@ public interface SSLSession {
* <P>
* This context may be unavailable in some environments,
* in which case this method returns null.
* <P>
* If the context is available and there is a
* security manager installed, the caller may require
* permission to access it or a security exception may be thrown.
* In a Java environment, the security manager's
* {@code checkPermission} method is called with a
* {@code SSLPermission("getSSLSessionContext")} permission.
*
* @throws SecurityException if the calling thread does not have
* permission to get SSL session context.
* @return the session context used for this session, or null
* if the context is unavailable.
*/

28
src/java.base/share/classes/javax/net/ssl/SSLSocket.java
View file

@ -209,22 +209,15 @@ public abstract class SSLSocket extends Socket
* Used only by subclasses.
* Constructs a TCP connection to a named host at a specified port.
* This acts as the SSL client.
* <p>
* If there is a security manager, its <code>checkConnect</code>
* method is called with the host address and <code>port</code>
* as its arguments. This could result in a SecurityException.
*
* @param host name of the host with which to connect, or
* <code>null</code> for the loopback address.
* @param port number of the server's port
* @throws IOException if an I/O error occurs when creating the socket
* @throws SecurityException if a security manager exists and its
* <code>checkConnect</code> method doesn't allow the operation.
* @throws UnknownHostException if the host is not known
* @throws IllegalArgumentException if the port parameter is outside the
* specified range of valid port values, which is between 0 and
* 65535, inclusive.
* @see SecurityManager#checkConnect
*/
protected SSLSocket(String host, int port)
throws IOException, UnknownHostException
@ -235,21 +228,14 @@ public abstract class SSLSocket extends Socket
* Used only by subclasses.
* Constructs a TCP connection to a server at a specified address
* and port. This acts as the SSL client.
* <p>
* If there is a security manager, its <code>checkConnect</code>
* method is called with the host address and <code>port</code>
* as its arguments. This could result in a SecurityException.
*
* @param address the server's host
* @param port its port
* @throws IOException if an I/O error occurs when creating the socket
* @throws SecurityException if a security manager exists and its
* <code>checkConnect</code> method doesn't allow the operation.
* @throws IllegalArgumentException if the port parameter is outside the
* specified range of valid port values, which is between 0 and
* 65535, inclusive.
* @throws NullPointerException if <code>address</code> is null.
* @see SecurityManager#checkConnect
*/
protected SSLSocket(InetAddress address, int port)
throws IOException
@ -261,10 +247,6 @@ public abstract class SSLSocket extends Socket
* Constructs an SSL connection to a named host at a specified port,
* binding the client side of the connection a given address and port.
* This acts as the SSL client.
* <p>
* If there is a security manager, its <code>checkConnect</code>
* method is called with the host address and <code>port</code>
* as its arguments. This could result in a SecurityException.
*
* @param host name of the host with which to connect, or
* <code>null</code> for the loopback address.
@ -274,13 +256,10 @@ public abstract class SSLSocket extends Socket
* @param clientPort the client's port the socket is bound to, or
* <code>zero</code> for a system selected free port.
* @throws IOException if an I/O error occurs when creating the socket
* @throws SecurityException if a security manager exists and its
* <code>checkConnect</code> method doesn't allow the operation.
* @throws UnknownHostException if the host is not known
* @throws IllegalArgumentException if the port parameter or clientPort
* parameter is outside the specified range of valid port values,
* which is between 0 and 65535, inclusive.
* @see SecurityManager#checkConnect
*/
protected SSLSocket(String host, int port,
InetAddress clientAddress, int clientPort)
@ -293,10 +272,6 @@ public abstract class SSLSocket extends Socket
* Constructs an SSL connection to a server at a specified address
* and TCP port, binding the client side of the connection a given
* address and port. This acts as the SSL client.
* <p>
* If there is a security manager, its <code>checkConnect</code>
* method is called with the host address and <code>port</code>
* as its arguments. This could result in a SecurityException.
*
* @param address the server's host
* @param port its port
@ -305,13 +280,10 @@ public abstract class SSLSocket extends Socket
* @param clientPort the client's port the socket is bound to, or
* <code>zero</code> for a system selected free port.
* @throws IOException if an I/O error occurs when creating the socket
* @throws SecurityException if a security manager exists and its
* <code>checkConnect</code> method doesn't allow the operation.
* @throws IllegalArgumentException if the port parameter or clientPort
* parameter is outside the specified range of valid port values,
* which is between 0 and 65535, inclusive.
* @throws NullPointerException if <code>address</code> is null.
* @see SecurityManager#checkConnect
*/
protected SSLSocket(InetAddress address, int port,
InetAddress clientAddress, int clientPort)

98
src/java.base/share/classes/javax/security/auth/AuthPermission.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1998, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1998, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -30,100 +30,10 @@ package javax.security.auth;
* contains a name (also referred to as a "target name") but no actions
* list; you either have the named permission or you don't.
*
* <p> The target name is the name of a security configuration parameter
* (see below). Currently, the {@code AuthPermission} object is used to
* guard access to the {@link Subject},
* {@link javax.security.auth.login.LoginContext}, and
* {@link javax.security.auth.login.Configuration} objects.
* @apiNote
* This permission cannot be used for controlling access to resources
* as the Security Manager is no longer supported.
*
* <p> The standard target names for an Authentication Permission are:
*
* <pre>
* doAs - allow the caller to invoke the
* {@code Subject.doAs} methods.
*
* doAsPrivileged - allow the caller to invoke the
* {@code Subject.doAsPrivileged} methods.
*
* getSubject - allow for the retrieval of the
* Subject(s) associated with the
* current Thread.
*
* getSubjectFromDomainCombiner - allow for the retrieval of the
* Subject associated with the
* a {@code SubjectDomainCombiner}.
*
* setReadOnly - allow the caller to set a Subject
* to be read-only.
*
* modifyPrincipals - allow the caller to modify the {@code Set}
* of Principals associated with a
* {@code Subject}
*
* modifyPublicCredentials - allow the caller to modify the
* {@code Set} of public credentials
* associated with a {@code Subject}
*
* modifyPrivateCredentials - allow the caller to modify the
* {@code Set} of private credentials
* associated with a {@code Subject}
*
* refreshCredential - allow code to invoke the {@code refresh}
* method on a credential which implements
* the {@code Refreshable} interface.
*
* destroyCredential - allow code to invoke the {@code destroy}
* method on a credential {@code object}
* which implements the {@code Destroyable}
* interface.
*
* createLoginContext.{name} - allow code to instantiate a
* {@code LoginContext} with the
* specified {@code name}. {@code name}
* is used as the index into the installed login
* {@code Configuration}
* (that returned by
* {@code Configuration.getConfiguration()}).
* <i>name</i> can be wildcarded (set to '*')
* to allow for any name.
*
* getLoginConfiguration - allow for the retrieval of the system-wide
* login Configuration.
*
* createLoginConfiguration.{type} - allow code to obtain a Configuration
* object via
* {@code Configuration.getInstance}.
*
* setLoginConfiguration - allow for the setting of the system-wide
* login Configuration.
*
* refreshLoginConfiguration - allow for the refreshing of the system-wide
* login Configuration.
* </pre>
*
* <p>Please note that granting this permission with the "modifyPrincipals",
* "modifyPublicCredentials" or "modifyPrivateCredentials" target allows
* a JAAS login module to populate principal or credential objects into
* the Subject. Although reading information inside the private credentials
* set requires a {@link PrivateCredentialPermission} of the credential type to
* be granted, reading information inside the principals set and the public
* credentials set requires no additional permission. These objects can contain
* potentially sensitive information. For example, login modules that read
* local user information or perform a Kerberos login are able to add
* potentially sensitive information such as user ids, groups and domain names
* to the principals set.
*
* <p> The following target name has been deprecated in favor of
* {@code createLoginContext.{name}}.
*
* <pre>
* createLoginContext - allow code to instantiate a
* {@code LoginContext}.
* </pre>
*
* @implNote
* Implementations may define additional target names, but should use naming
* conventions such as reverse domain name notation to avoid name clashes.
* @since 1.4
*/
public final class AuthPermission extends

5
src/java.base/share/classes/javax/security/auth/Destroyable.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -46,9 +46,6 @@ public interface Destroyable {
* The default implementation throws {@code DestroyFailedException}.
*
* @exception DestroyFailedException if the destroy operation fails.
*
* @exception SecurityException if the caller does not have permission
* to destroy this {@code Object}.
*/
default void destroy() throws DestroyFailedException {
throw new DestroyFailedException();

58
src/java.base/share/classes/javax/security/auth/PrivateCredentialPermission.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -47,59 +47,9 @@ import sun.security.util.ResourcesMgr;
* CredentialClass {PrincipalClass "PrincipalName"}*
* </pre>
*
* For example, the following permission grants access to the
* com.sun.PrivateCredential owned by Subjects which have
* a com.sun.Principal with the name, "duke". Note that although
* this example, as well as all the examples below, do not contain
* Codebase, SignedBy, or Principal information in the grant statement
* (for simplicity reasons), actual policy configurations should
* specify that information when appropriate.
*
* <pre>
*
* grant {
* permission javax.security.auth.PrivateCredentialPermission
* "com.sun.PrivateCredential com.sun.Principal \"duke\"",
* "read";
* };
* </pre>
*
* If CredentialClass is "*", then access is granted to
* all private Credentials belonging to the specified
* {@code Subject}.
* If "PrincipalName" is "*", then access is granted to the
* specified Credential owned by any {@code Subject} that has the
* specified {@code Principal} (the actual PrincipalName doesn't matter).
* For example, the following grants access to the
* a.b.Credential owned by any {@code Subject} that has
* an a.b.Principal.
*
* <pre>
* grant {
* permission javax.security.auth.PrivateCredentialPermission
* "a.b.Credential a.b.Principal "*"",
* "read";
* };
* </pre>
*
* If both the PrincipalClass and "PrincipalName" are "*",
* then access is granted to the specified Credential owned by
* any {@code Subject}.
*
* <p> In addition, the PrincipalClass/PrincipalName pairing may be repeated:
*
* <pre>
* grant {
* permission javax.security.auth.PrivateCredentialPermission
* "a.b.Credential a.b.Principal "duke" c.d.Principal "dukette"",
* "read";
* };
* </pre>
*
* The above grants access to the private Credential, "a.b.Credential",
* belonging to a {@code Subject} with at least two associated Principals:
* "a.b.Principal" with the name, "duke", and "c.d.Principal", with the name,
* "dukette".
* @apiNote
* This permission cannot be used for controlling access to resources
* as the Security Manager is no longer supported.
*
* @since 1.4
*/

6
src/java.base/share/classes/javax/security/auth/Refreshable.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -49,10 +49,6 @@ public interface Refreshable {
* Update or extend the validity period for this
* {@code Object}.
*
* @exception SecurityException if the caller does not have permission
* to update or extend the validity period for this
* {@code Object}.
*
* @exception RefreshFailedException if the refresh attempt failed.
*/
void refresh() throws RefreshFailedException;

489
src/java.base/share/classes/javax/security/auth/Subject.java
View file

@ -35,7 +35,6 @@ import java.util.*;
import java.util.concurrent.Callable;
import java.util.concurrent.CompletionException;
import jdk.internal.access.SharedSecrets;
import sun.security.util.ResourcesMgr;
/**
@ -62,8 +61,7 @@ import sun.security.util.ResourcesMgr;
* private cryptographic keys, are stored within a private credential
* {@code Set}. Credentials intended to be shared, such as
* public key certificates or Kerberos server tickets are stored
* within a public credential {@code Set}. Different permissions
* are required to access and modify the different credential Sets.
* within a public credential {@code Set}.
*
* <p> To retrieve all the Principals associated with a {@code Subject},
* invoke the {@code getPrincipals} method. To retrieve
@ -103,28 +101,17 @@ import sun.security.util.ResourcesMgr;
* <li>{@link #doAsPrivileged(Subject, PrivilegedExceptionAction, AccessControlContext)}
* </ul>
* Methods {@link #current()} and {@link #callAs(Subject, Callable)}
* are replacements for these methods, where {@code current}
* is mostly equivalent to {@code getSubject(AccessController.getContext())}
* are replacements for these methods, where {@code current} is equivalent to
* {@code getSubject(AccessController.getContext())} (as originally specified)
* and {@code callAs} is similar to {@code doAs} except that the
* input type and exceptions thrown are slightly different.
*
* <p id="sm-allowed"><b>These methods behave differently depending on
* whether a security manager is
* {@linkplain SecurityManager##set-security-manager allowed or disallowed}</b>:
* <ul>
* <li>If a security manager is allowed, which means it is either already set
* or allowed to be set dynamically, a {@code Subject} object is associated
* with an {@code AccessControlContext} through a {@code doAs} or
* {@code callAs} call, and the subject can then be retrieved using the
* {@code getSubject(AccessControlContext)} or {@code current} method.
* <li>If a security manager is not allowed, which means it is not set and
* not allowed to be set dynamically, a {@code doAs} or {@code callAs} call
* <p> A {@code doAs} or {@code callAs} call
* binds a {@code Subject} object to the period of execution of an action,
* and the subject can be retrieved using the {@code current} method inside
* the action. This subject can be inherited by child threads if they are
* started and terminate within the execution of its parent thread using
* structured concurrency.
* </ul>
*
* @since 1.4
* @see java.security.Principal
@ -174,17 +161,8 @@ public final class Subject implements java.io.Serializable {
*
* <p> The newly constructed Sets check whether this {@code Subject}
* has been set read-only before permitting subsequent modifications.
* The newly created Sets also prevent illegal modifications
* by ensuring that callers have sufficient permissions. These Sets
* also prohibit null elements, and attempts to add, query, or remove
* a null element will result in a {@code NullPointerException}.
*
* <p> To modify the Principals Set, the caller must have
* {@code AuthPermission("modifyPrincipals")}.
* To modify the public credential Set, the caller must have
* {@code AuthPermission("modifyPublicCredentials")}.
* To modify the private credential Set, the caller must have
* {@code AuthPermission("modifyPrivateCredentials")}.
* These Sets also prohibit null elements, and attempts to add, query,
* or remove a null element will result in a {@code NullPointerException}.
*/
public Subject() {
@ -204,17 +182,8 @@ public final class Subject implements java.io.Serializable {
* are copied into newly constructed Sets.
* These newly created Sets check whether this {@code Subject}
* has been set read-only before permitting subsequent modifications.
* The newly created Sets also prevent illegal modifications
* by ensuring that callers have sufficient permissions. These Sets
* also prohibit null elements, and attempts to add, query, or remove
* a null element will result in a {@code NullPointerException}.
*
* <p> To modify the Principals Set, the caller must have
* {@code AuthPermission("modifyPrincipals")}.
* To modify the public credential Set, the caller must have
* {@code AuthPermission("modifyPublicCredentials")}.
* To modify the private credential Set, the caller must have
* {@code AuthPermission("modifyPrivateCredentials")}.
* These Sets also prohibit null elements, and attempts to add, query,
* or remove a null element will result in a {@code NullPointerException}.
*
* @param readOnly true if the {@code Subject} is to be read-only,
* and false otherwise.
@ -266,12 +235,6 @@ public final class Subject implements java.io.Serializable {
* {@code IllegalStateException} being thrown.
* Also, once a {@code Subject} is read-only,
* it can not be reset to being writable again.
*
* @throws SecurityException if a security manager is installed and the
* caller does not have an
* {@link AuthPermission#AuthPermission(String)
* AuthPermission("setReadOnly")} permission to set this
* {@code Subject} to be read-only.
*/
public void setReadOnly() {
@SuppressWarnings("removal")
@ -293,73 +256,31 @@ public final class Subject implements java.io.Serializable {
}
/**
* Get the {@code Subject} associated with the provided
* {@code AccessControlContext}. This method is intended to be used with
* a security manager. It throws an {@code UnsupportedOperationException}
* if a security manager is not allowed.
* Throws {@code UnsupportedOperationException}. A replacement API
* named {@link #current()} has been added which can be used to obtain
* the current subject.
*
* <p> The {@code AccessControlContext} may contain many
* Subjects (from nested {@code doAs} calls).
* In this situation, the most recent {@code Subject} associated
* with the {@code AccessControlContext} is returned.
* @param acc ignored
*
* @param acc the {@code AccessControlContext} from which to retrieve
* the {@code Subject}.
* @return n/a
*
* @return the {@code Subject} associated with the provided
* {@code AccessControlContext}, or {@code null}
* if no {@code Subject} is associated
* with the provided {@code AccessControlContext}.
* @throws UnsupportedOperationException always
*
* @throws UnsupportedOperationException if a security manager is
* not allowed
* @deprecated This method used to get the subject associated with the
* provided {@link AccessControlContext}, which was only useful in
* conjunction with {@linkplain SecurityManager the Security Manager},
* which is no longer supported. This method has been changed to
* always throw {@code UnsupportedOperationException}. A replacement
* API named {@link #current()} has been added which can be used to
* obtain the current subject. There is no replacement for the
* Security Manager.
*
* @throws SecurityException if a security manager is installed and the
* caller does not have an
* {@link AuthPermission#AuthPermission(String)
* AuthPermission("getSubject")} permission to get the
* {@code Subject}.
*
* @throws NullPointerException if the provided
* {@code AccessControlContext} is {@code null}.
*
* @deprecated This method depends on {@link AccessControlContext}
* which, in conjunction with
* {@linkplain SecurityManager the Security Manager}, is deprecated
* and subject to removal in a future release. However,
* obtaining a Subject is useful independent of the Security Manager.
* Thus, a replacement API named {@link #current()} has been added
* which can be used to obtain the current subject.
* @see #current()
*/
@SuppressWarnings("removal")
@Deprecated(since="17", forRemoval=true)
public static Subject getSubject(final AccessControlContext acc) {
java.lang.SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(AuthPermissionHolder.GET_SUBJECT_PERMISSION);
}
Objects.requireNonNull(acc, ResourcesMgr.getString
("invalid.null.AccessControlContext.provided"));
if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
throw new UnsupportedOperationException(
"getSubject is supported only if a security manager is allowed");
} else {
// return the Subject from the DomainCombiner of the provided context
return AccessController.doPrivileged
(new java.security.PrivilegedAction<>() {
public Subject run() {
DomainCombiner dc = acc.getDomainCombiner();
if (!(dc instanceof SubjectDomainCombiner)) {
return null;
}
SubjectDomainCombiner sdc = (SubjectDomainCombiner) dc;
return sdc.getSubject();
}
});
}
throw new UnsupportedOperationException("getSubject is not supported");
}
private static final ScopedValue<Subject> SCOPED_SUBJECT =
@ -375,11 +296,7 @@ public final class Subject implements java.io.Serializable {
* subject is reset to its previous value. The current
* subject is {@code null} before the first call of {@code callAs()}.
*
* <p> If a security manager is <a href=#sm-allowed>allowed</a>, this
* method is equivalent to calling {@link #getSubject} with the current
* {@code AccessControlContext}.
*
* <p> If a security manager is not allowed, this method returns the
* <p> This method returns the
* {@code Subject} bound to the period of the execution of the current
* thread.
*
@ -390,31 +307,14 @@ public final class Subject implements java.io.Serializable {
*/
@SuppressWarnings("removal")
public static Subject current() {
if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
return SCOPED_SUBJECT.orElse(null);
} else {
return getSubject(AccessController.getContext());
}
return SCOPED_SUBJECT.orElse(null);
}
/**
* Executes a {@code Callable} with {@code subject} as the
* current subject.
*
* <p> If a security manager is <a href=#sm-allowed>allowed</a>,
* this method first retrieves the current Thread's
* {@code AccessControlContext} via
* {@code AccessController.getContext},
* and then instantiates a new {@code AccessControlContext}
* using the retrieved context along with a new
* {@code SubjectDomainCombiner} (constructed using
* the provided {@code Subject}).
* Finally, this method invokes {@code AccessController.doPrivileged},
* passing it the provided {@code PrivilegedAction},
* as well as the newly constructed {@code AccessControlContext}.
*
* <p> If a security manager is not allowed,
* this method launches {@code action} and binds {@code subject} to the
* <p> This method launches {@code action} and binds {@code subject} to the
* period of its execution.
*
* @param subject the {@code Subject} that the specified {@code action}
@ -434,43 +334,17 @@ public final class Subject implements java.io.Serializable {
public static <T> T callAs(final Subject subject,
final Callable<T> action) throws CompletionException {
Objects.requireNonNull(action);
if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
try {
return ScopedValue.where(SCOPED_SUBJECT, subject).call(action::call);
} catch (Exception e) {
throw new CompletionException(e);
}
} else {
try {
PrivilegedExceptionAction<T> pa = () -> action.call();
@SuppressWarnings("removal")
var result = doAs(subject, pa);
return result;
} catch (PrivilegedActionException e) {
throw new CompletionException(e.getCause());
} catch (Exception e) {
throw new CompletionException(e);
}
try {
return ScopedValue.where(SCOPED_SUBJECT, subject).call(action::call);
} catch (Exception e) {
throw new CompletionException(e);
}
}
/**
* Perform work as a particular {@code Subject}.
*
* <p> If a security manager is <a href=#sm-allowed>allowed</a>,
* this method first retrieves the current Thread's
* {@code AccessControlContext} via
* {@code AccessController.getContext},
* and then instantiates a new {@code AccessControlContext}
* using the retrieved context along with a new
* {@code SubjectDomainCombiner} (constructed using
* the provided {@code Subject}).
* Finally, this method invokes {@code AccessController.doPrivileged},
* passing it the provided {@code PrivilegedAction},
* as well as the newly constructed {@code AccessControlContext}.
*
* <p> If a security manager is not allowed,
* this method launches {@code action} and binds {@code subject} to the
* <p> This method launches {@code action} and binds {@code subject} to the
* period of its execution.
*
* @param subject the {@code Subject} that the specified
@ -489,19 +363,17 @@ public final class Subject implements java.io.Serializable {
* @throws NullPointerException if the {@code PrivilegedAction}
* is {@code null}.
*
* @throws SecurityException if a security manager is installed and the
* caller does not have an
* {@link AuthPermission#AuthPermission(String)
* AuthPermission("doAs")} permission to invoke this
* method.
* @deprecated This method originally performed the specified
* {@code PrivilegedAction} with privileges enabled. Running the
* action with privileges enabled was only useful in conjunction
* with {@linkplain SecurityManager the Security Manager}, which is
* no longer supported. This method has been changed to launch the
* action as is and bind the subject to the period of its execution.
* A replacement API named {@link #callAs} has been added which can
* be used to perform the same work. There is no replacement for the
* Security Manager.
*
* @deprecated This method depends on {@link AccessControlContext}
* which, in conjunction with
* {@linkplain SecurityManager the Security Manager}, is deprecated
* and subject to removal in a future release. However, performing
* work as a Subject is useful independent of the Security Manager.
* Thus, a replacement API named {@link #callAs} has been added
* which can be used to perform the same work.
* @see #callAs(Subject, Callable)
*/
@SuppressWarnings("removal")
@Deprecated(since="18", forRemoval=true)
@ -516,50 +388,26 @@ public final class Subject implements java.io.Serializable {
Objects.requireNonNull(action,
ResourcesMgr.getString("invalid.null.action.provided"));
if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
try {
return callAs(subject, action::run);
} catch (CompletionException ce) {
var cause = ce.getCause();
if (cause instanceof RuntimeException re) {
throw re;
} else if (cause instanceof Error er) {
throw er;
} else {
throw new AssertionError(ce);
}
try {
return callAs(subject, action::run);
} catch (CompletionException ce) {
var cause = ce.getCause();
if (cause instanceof RuntimeException re) {
throw re;
} else if (cause instanceof Error er) {
throw er;
} else {
throw new AssertionError(ce);
}
} else {
// set up the new Subject-based AccessControlContext
// for doPrivileged
final AccessControlContext currentAcc = AccessController.getContext();
// call doPrivileged and push this new context on the stack
return java.security.AccessController.doPrivileged
(action,
createContext(subject, currentAcc));
}
}
/**
* Perform work as a particular {@code Subject}.
*
* <p> If a security manager is <a href=#sm-allowed>allowed</a>,
* this method first retrieves the current Thread's
* {@code AccessControlContext} via
* {@code AccessController.getContext},
* and then instantiates a new {@code AccessControlContext}
* using the retrieved context along with a new
* {@code SubjectDomainCombiner} (constructed using
* the provided {@code Subject}).
* Finally, this method invokes {@code AccessController.doPrivileged},
* passing it the provided {@code PrivilegedExceptionAction},
* as well as the newly constructed {@code AccessControlContext}.
*
* <p> If a security manager is not allowed,
* this method launches {@code action} and binds {@code subject} to the
* <p> This method launches {@code action} and binds {@code subject} to the
* period of its execution.
*
* @param subject the {@code Subject} that the specified
* {@code action} will run as. This parameter
* may be {@code null}.
@ -581,19 +429,17 @@ public final class Subject implements java.io.Serializable {
* {@code PrivilegedExceptionAction} is
* {@code null}.
*
* @throws SecurityException if a security manager is installed and the
* caller does not have an
* {@link AuthPermission#AuthPermission(String)
* AuthPermission("doAs")} permission to invoke this
* method.
* @deprecated This method originally performed the specified
* {@code PrivilegedExceptionAction} with privileges enabled.
* Running the action with privileges enabled was only useful in
* conjunction with {@linkplain SecurityManager the Security Manager},
* which is no longer supported. This method has been changed to
* launch the action as is and bind the subject to the period of its
* execution. A replacement API named {@link #callAs} has been added
* which can be used to perform the same work. There is no
* replacement for the Security Manager.
*
* @deprecated This method depends on {@link AccessControlContext}
* which, in conjunction with
* {@linkplain SecurityManager the Security Manager}, is deprecated
* and subject to removal in a future release. However, performing
* work as a Subject is useful independent of the Security Manager.
* Thus, a replacement API named {@link #callAs} has been added
* which can be used to perform the same work.
* @see #callAs(Subject, Callable)
*/
@SuppressWarnings("removal")
@Deprecated(since="18", forRemoval=true)
@ -609,46 +455,26 @@ public final class Subject implements java.io.Serializable {
Objects.requireNonNull(action,
ResourcesMgr.getString("invalid.null.action.provided"));
if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
try {
return callAs(subject, action::run);
} catch (CompletionException ce) {
var cause = ce.getCause();
if (cause instanceof RuntimeException re) {
throw re;
} else if (cause instanceof Error er) {
throw er;
} else if (cause instanceof Exception e) {
throw new PrivilegedActionException(e);
} else {
throw new PrivilegedActionException(ce);
}
try {
return callAs(subject, action::run);
} catch (CompletionException ce) {
var cause = ce.getCause();
if (cause instanceof RuntimeException re) {
throw re;
} else if (cause instanceof Error er) {
throw er;
} else if (cause instanceof Exception e) {
throw new PrivilegedActionException(e);
} else {
throw new PrivilegedActionException(ce);
}
} else {
// set up the new Subject-based AccessControlContext for doPrivileged
final AccessControlContext currentAcc = AccessController.getContext();
// call doPrivileged and push this new context on the stack
return java.security.AccessController.doPrivileged
(action,
createContext(subject, currentAcc));
}
}
/**
* Perform privileged work as a particular {@code Subject}.
*
* <p> If a security manager is <a href=#sm-allowed>allowed</a>,
* this method behaves exactly as {@code Subject.doAs},
* except that instead of retrieving the current Thread's
* {@code AccessControlContext}, it uses the provided
* {@code AccessControlContext}. If the provided
* {@code AccessControlContext} is {@code null},
* this method instantiates a new {@code AccessControlContext}
* with an empty collection of ProtectionDomains.
*
* <p> If a security manager is not allowed,
* this method ignores the {@code acc} argument, launches {@code action},
* <p> This method ignores the {@code acc} argument, launches {@code action},
* and binds {@code subject} to the period of its execution.
*
* @param subject the {@code Subject} that the specified
@ -670,18 +496,18 @@ public final class Subject implements java.io.Serializable {
* @throws NullPointerException if the {@code PrivilegedAction}
* is {@code null}.
*
* @throws SecurityException if a security manager is installed and the
* caller does not have a
* {@link AuthPermission#AuthPermission(String)
* AuthPermission("doAsPrivileged")} permission to invoke
* this method.
* @deprecated This method originally performed the specified
* {@code PrivilegedAction} with privileges enabled and restricted
* by the specified {@code AccessControlContext}. Running the
* action with privileges enabled was only useful in conjunction
* with {@linkplain SecurityManager the Security Manager}, which is
* no longer supported. This method has been changed to ignore the
* {@code AccessControlContext} and launch the action as is and bind
* the subject to the period of its execution. A replacement API
* named {@link #callAs} has been added which can be used to perform
* the same work. There is no replacement for the Security Manager.
*
* @deprecated This method is only useful in conjunction with
* {@linkplain SecurityManager the Security Manager}, which is
* deprecated and subject to removal in a future release.
* Consequently, this method is also deprecated and subject to
* removal. There is no replacement for the Security Manager or this
* method.
* @see #callAs(Subject, Callable)
*/
@SuppressWarnings("removal")
@Deprecated(since="17", forRemoval=true)
@ -697,48 +523,24 @@ public final class Subject implements java.io.Serializable {
Objects.requireNonNull(action,
ResourcesMgr.getString("invalid.null.action.provided"));
if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
try {
return callAs(subject, action::run);
} catch (CompletionException ce) {
var cause = ce.getCause();
if (cause instanceof RuntimeException re) {
throw re;
} else if (cause instanceof Error er) {
throw er;
} else {
throw new AssertionError(ce);
}
try {
return callAs(subject, action::run);
} catch (CompletionException ce) {
var cause = ce.getCause();
if (cause instanceof RuntimeException re) {
throw re;
} else if (cause instanceof Error er) {
throw er;
} else {
throw new AssertionError(ce);
}
} else {
// set up the new Subject-based AccessControlContext
// for doPrivileged
final AccessControlContext callerAcc =
(acc == null ?
new AccessControlContext(NULL_PD_ARRAY) :
acc);
// call doPrivileged and push this new context on the stack
return java.security.AccessController.doPrivileged
(action,
createContext(subject, callerAcc));
}
}
/**
* Perform privileged work as a particular {@code Subject}.
*
* <p> If a security manager is <a href=#sm-allowed>allowed</a>,
* this method behaves exactly as {@code Subject.doAs},
* except that instead of retrieving the current Thread's
* {@code AccessControlContext}, it uses the provided
* {@code AccessControlContext}. If the provided
* {@code AccessControlContext} is {@code null},
* this method instantiates a new {@code AccessControlContext}
* with an empty collection of ProtectionDomains.
*
* <p> If a security manager is not allowed,
* this method ignores the {@code acc} argument, launches {@code action},
* <p> This method ignores the {@code acc} argument, launches {@code action},
* and binds {@code subject} to the period of its execution.
*
* @param subject the {@code Subject} that the specified
@ -765,18 +567,18 @@ public final class Subject implements java.io.Serializable {
* {@code PrivilegedExceptionAction} is
* {@code null}.
*
* @throws SecurityException if a security manager is installed and the
* caller does not have a
* {@link AuthPermission#AuthPermission(String)
* AuthPermission("doAsPrivileged")} permission to invoke
* this method.
* @deprecated This method originally performed the specified
* {@code PrivilegedExceptionAction} with privileges enabled and
* restricted by the specified {@code AccessControlContext}. Running
* the action with privileges enabled was only useful in conjunction
* with {@linkplain SecurityManager the Security Manager}, which is
* no longer supported. This method has been changed to ignore the
* {@code AccessControlContext} and launch the action as is and bind
* the subject to the period of its execution. A replacement API
* named {@link #callAs} has been added which can be used to perform
* the same work. There is no replacement for the Security Manager.
*
* @deprecated This method is only useful in conjunction with
* {@linkplain SecurityManager the Security Manager}, which is
* deprecated and subject to removal in a future release.
* Consequently, this method is also deprecated and subject to
* removal. There is no replacement for the Security Manager or this
* method.
* @see #callAs(Subject, Callable)
*/
@SuppressWarnings("removal")
@Deprecated(since="17", forRemoval=true)
@ -793,32 +595,19 @@ public final class Subject implements java.io.Serializable {
Objects.requireNonNull(action,
ResourcesMgr.getString("invalid.null.action.provided"));
if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
try {
return callAs(subject, action::run);
} catch (CompletionException ce) {
var cause = ce.getCause();
if (cause instanceof RuntimeException re) {
throw re;
} else if (cause instanceof Error er) {
throw er;
} else if (cause instanceof Exception e) {
throw new PrivilegedActionException(e);
} else {
throw new PrivilegedActionException(ce);
}
try {
return callAs(subject, action::run);
} catch (CompletionException ce) {
var cause = ce.getCause();
if (cause instanceof RuntimeException re) {
throw re;
} else if (cause instanceof Error er) {
throw er;
} else if (cause instanceof Exception e) {
throw new PrivilegedActionException(e);
} else {
throw new PrivilegedActionException(ce);
}
} else {
// set up the new Subject-based AccessControlContext for doPrivileged
final AccessControlContext callerAcc =
(acc == null ?
new AccessControlContext(NULL_PD_ARRAY) :
acc);
// call doPrivileged and push this new context on the stack
return java.security.AccessController.doPrivileged
(action,
createContext(subject, callerAcc));
}
}
@ -851,11 +640,6 @@ public final class Subject implements java.io.Serializable {
* to the returned {@code Set} affects the internal
* {@code Principal} {@code Set} as well.
*
* <p> If a security manager is installed, the caller must have a
* {@link AuthPermission#AuthPermission(String)
* AuthPermission("modifyPrincipals")} permission to modify
* the returned set, or a {@code SecurityException} will be thrown.
*
* @return the {@code Set} of Principals associated with this
* {@code Subject}.
*/
@ -907,11 +691,6 @@ public final class Subject implements java.io.Serializable {
* to the returned {@code Set} affects the internal public
* Credential {@code Set} as well.
*
* <p> If a security manager is installed, the caller must have a
* {@link AuthPermission#AuthPermission(String)
* AuthPermission("modifyPublicCredentials")} permission to modify
* the returned set, or a {@code SecurityException} will be thrown.
*
* @return a {@code Set} of public credentials held by this
* {@code Subject}.
*/
@ -931,17 +710,6 @@ public final class Subject implements java.io.Serializable {
* to the returned {@code Set} affects the internal private
* Credential {@code Set} as well.
*
* <p> If a security manager is installed, the caller must have a
* {@link AuthPermission#AuthPermission(String)
* AuthPermission("modifyPrivateCredentials")} permission to modify
* the returned set, or a {@code SecurityException} will be thrown.
*
* <p> While iterating through the {@code Set},
* a {@code SecurityException} is thrown if a security manager is installed
* and the caller does not have a {@link PrivateCredentialPermission}
* to access a particular Credential. The {@code Iterator}
* is nevertheless advanced to the next element in the {@code Set}.
*
* @return a {@code Set} of private credentials held by this
* {@code Subject}.
*/
@ -997,10 +765,6 @@ public final class Subject implements java.io.Serializable {
* {@code Subject} that are instances or subclasses of the specified
* {@code Class}.
*
* <p> If a security manager is installed, the caller must have a
* {@link PrivateCredentialPermission} to access all of the requested
* Credentials, or a {@code SecurityException} will be thrown.
*
* <p> The returned {@code Set} is not backed by this Subject's
* internal private Credential {@code Set}. A new
* {@code Set} is created and returned for each method invocation.
@ -1049,11 +813,6 @@ public final class Subject implements java.io.Serializable {
*
* @return true if the specified Object is equal to this
* {@code Subject}.
*
* @throws SecurityException if a security manager is installed and the
* caller does not have a {@link PrivateCredentialPermission}
* permission to access the private credentials for this
* {@code Subject} or the provided {@code Subject}.
*/
@Override
public boolean equals(Object o) {
@ -1151,10 +910,6 @@ public final class Subject implements java.io.Serializable {
/**
* {@return a hashcode for this {@code Subject}}
*
* @throws SecurityException if a security manager is installed and the
* caller does not have a {@link PrivateCredentialPermission}
* permission to access this Subject's private credentials.
*/
@Override
public int hashCode() {

18
src/java.base/share/classes/javax/security/auth/SubjectDomainCombiner.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -34,15 +34,13 @@ import java.util.WeakHashMap;
import java.lang.ref.WeakReference;
/**
* A {@code SubjectDomainCombiner} updates ProtectionDomains
* with Principals from the {@code Subject} associated with this
* {@code SubjectDomainCombiner}.
* SubjectDomainCombiner was used to dynamically update ProtectionDomains with
* Principals for access control operations and decisions. This feature no
* longer exists.
*
* @since 1.4
* @deprecated This class is only useful in conjunction with
* {@linkplain SecurityManager the Security Manager}, which is deprecated
* and subject to removal in a future release. Consequently, this class
* is also deprecated and subject to removal. There is no replacement for
* @deprecated This class was only useful in conjunction with the Security
* Manager, which is no longer supported. There is no replacement for
* the Security Manager or this class.
*/
@SuppressWarnings("removal")
@ -84,10 +82,6 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner {
* {@code SubjectDomainCombiner}, or {@code null}
* if no {@code Subject} is associated with this
* {@code SubjectDomainCombiner}.
*
* @exception SecurityException if the caller does not have permission
* to get the {@code Subject} associated with this
* {@code SubjectDomainCombiner}.
*/
public Subject getSubject() {
java.lang.SecurityManager sm = System.getSecurityManager();

20
src/java.base/share/classes/javax/security/auth/login/Configuration.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1998, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1998, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -217,9 +217,6 @@ public abstract class Configuration {
* then that object is returned. Otherwise, a default
* Configuration object is returned.
*
* @exception SecurityException if the caller does not have permission
* to retrieve the Configuration.
*
* @see #setConfiguration
*/
@SuppressWarnings("removal")
@ -291,9 +288,6 @@ public abstract class Configuration {
*
* @param configuration the new {@code Configuration}
*
* @exception SecurityException if the current thread does not have
* Permission to set the {@code Configuration}.
*
* @see #getConfiguration
*/
public static void setConfiguration(Configuration configuration) {
@ -343,9 +337,6 @@ public abstract class Configuration {
*
* @throws NullPointerException if {@code type} is {@code null}
*
* @throws SecurityException if the caller does not have permission
* to get a {@code Configuration} instance for the specified type
*
* @see Provider
*
* @since 1.6
@ -408,9 +399,6 @@ public abstract class Configuration {
*
* @throws NullPointerException if {@code type} is {@code null}
*
* @throws SecurityException if the caller does not have permission
* to get a {@code Configuration} instance for the specified type
*
* @see Provider
* @since 1.6
*/
@ -472,9 +460,6 @@ public abstract class Configuration {
*
* @throws NullPointerException if {@code type} is {@code null}
*
* @throws SecurityException if the caller does not have permission
* to get a {@code Configuration} instance for the specified type
*
* @see Provider
* @since 1.6
*/
@ -583,9 +568,6 @@ public abstract class Configuration {
* <p> The default implementation of this method does nothing.
* This method should be overridden if a refresh operation is supported
* by the implementation.
*
* @exception SecurityException if the caller does not have permission
* to refresh its Configuration.
*/
public void refresh() { }

5
src/java.base/share/classes/javax/security/auth/login/ConfigurationSpi.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -70,9 +70,6 @@ public abstract class ConfigurationSpi {
* <p> The default implementation of this method does nothing.
* This method should be overridden if a refresh operation is supported
* by the implementation.
*
* @exception SecurityException if the caller does not have permission
* to refresh its Configuration.
*/
protected void engineRefresh() { }
}

67
src/java.base/share/classes/javax/security/auth/login/LoginContext.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1998, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1998, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -135,24 +135,6 @@ import java.util.ServiceLoader.Provider;
* {@code getAppConfigurationEntry} with the name, "<i>other</i>"
* (the default entry name). If there is no entry for "<i>other</i>",
* then a {@code LoginException} is thrown.
*
* <li> When LoginContext uses the installed Configuration, the caller
* requires the createLoginContext.<em>name</em> and possibly
* createLoginContext.other AuthPermissions. Furthermore, the
* LoginContext will invoke configured modules from within an
* {@code AccessController.doPrivileged} call so that modules that
* perform security-sensitive tasks (such as connecting to remote hosts,
* and updating the Subject) will require the respective permissions, but
* the callers of the LoginContext will not require those permissions.
*
* <li> When LoginContext uses a caller-specified Configuration, the caller
* does not require any createLoginContext AuthPermission. The LoginContext
* saves the {@code AccessControlContext} for the caller,
* and invokes the configured modules from within an
* {@code AccessController.doPrivileged} call constrained by that context.
* This means the caller context (stored when the LoginContext was created)
* must have sufficient permissions to perform any security-sensitive tasks
* that the modules may perform.
* </ul>
*
* <li> {@code CallbackHandler}
@ -173,22 +155,11 @@ import java.util.ServiceLoader.Provider;
* with users. The caller thus assumes that the configured
* modules have alternative means for authenticating the user.
*
*
* <li> When the LoginContext uses the installed Configuration (instead of
* a caller-specified Configuration, see above),
* then this LoginContext must wrap any
* caller-specified or default CallbackHandler implementation
* in a new CallbackHandler implementation
* whose {@code handle} method implementation invokes the
* specified CallbackHandler's {@code handle} method in a
* {@code java.security.AccessController.doPrivileged} call
* constrained by the caller's current {@code AccessControlContext}.
* </ul>
* </ol>
*
* @since 1.4
* @see java.security.Security
* @see javax.security.auth.AuthPermission
* @see javax.security.auth.Subject
* @see javax.security.auth.callback.CallbackHandler
* @see javax.security.auth.login.Configuration
@ -345,13 +316,6 @@ public class LoginContext {
* {@code auth.login.defaultCallbackHandler}
* security property was set, but the implementation
* class could not be loaded.
*
* @exception SecurityException if a SecurityManager is set and
* the caller does not have
* AuthPermission("createLoginContext.<i>name</i>"),
* or if a configuration entry for {@code name} does not exist and
* the caller does not additionally have
* AuthPermission("createLoginContext.other")
*/
public LoginContext(String name) throws LoginException {
init(name);
@ -375,13 +339,6 @@ public class LoginContext {
* <i>auth.login.defaultCallbackHandler</i>
* security property was set, but the implementation
* class could not be loaded.
*
* @exception SecurityException if a SecurityManager is set and
* the caller does not have
* AuthPermission("createLoginContext.<i>name</i>"),
* or if a configuration entry for <i>name</i> does not exist and
* the caller does not additionally have
* AuthPermission("createLoginContext.other")
*/
public LoginContext(String name, Subject subject)
throws LoginException {
@ -409,13 +366,6 @@ public class LoginContext {
* and there is no {@code Configuration} entry
* for "{@code other}", or if the caller-specified
* {@code callbackHandler} is {@code null}.
*
* @exception SecurityException if a SecurityManager is set and
* the caller does not have
* AuthPermission("createLoginContext.<i>name</i>"),
* or if a configuration entry for <i>name</i> does not exist and
* the caller does not additionally have
* AuthPermission("createLoginContext.other")
*/
@SuppressWarnings("removal")
public LoginContext(String name, CallbackHandler callbackHandler)
@ -449,13 +399,6 @@ public class LoginContext {
* {@code subject} is {@code null},
* or if the caller-specified
* {@code callbackHandler} is {@code null}.
*
* @exception SecurityException if a SecurityManager is set and
* the caller does not have
* AuthPermission("createLoginContext.<i>name</i>"),
* or if a configuration entry for <i>name</i> does not exist and
* the caller does not additionally have
* AuthPermission("createLoginContext.other")
*/
@SuppressWarnings("removal")
public LoginContext(String name, Subject subject,
@ -492,14 +435,6 @@ public class LoginContext {
* and there is no {@code Configuration} entry
* for "<i>other</i>".
*
* @exception SecurityException if a SecurityManager is set,
* <i>config</i> is {@code null},
* and either the caller does not have
* AuthPermission("createLoginContext.<i>name</i>"),
* or if a configuration entry for <i>name</i> does not exist and
* the caller does not additionally have
* AuthPermission("createLoginContext.other")
*
* @since 1.5
*/
@SuppressWarnings("removal")