# HG changeset patch # User valeriep # Date 1450838217 0 # Node ID 2d542b973871a880a15422917d86330d1f8cd905 # Parent e3a56c19a668db48a85ca4624542764c6267b981 8138811: Construction of static protection domains Summary: Updated SubjectDomainCombiner to keep static ProtectionDomain static Reviewed-by: mullan diff -r e3a56c19a668 -r 2d542b973871 jdk/src/java.base/share/classes/java/security/ProtectionDomain.java --- a/jdk/src/java.base/share/classes/java/security/ProtectionDomain.java Tue Jul 19 09:31:59 2016 -0700 +++ b/jdk/src/java.base/share/classes/java/security/ProtectionDomain.java Wed Dec 23 02:36:57 2015 +0000 @@ -132,7 +132,7 @@ /* the PermissionCollection is static (pre 1.4 constructor) or dynamic (via a policy refresh) */ - private boolean staticPermissions; + private final boolean staticPermissions; /* * An object used as a key when the ProtectionDomain is stored in a Map. @@ -143,8 +143,12 @@ * Creates a new ProtectionDomain with the given CodeSource and * Permissions. If the permissions object is not null, then * {@code setReadOnly()} will be called on the passed in - * Permissions object. The only permissions granted to this domain - * are the ones specified; the current Policy will not be consulted. + * Permissions object. + *

+ * The permissions granted to this domain are static, i.e. + * invoking the {@link #staticPermissionsOnly()} method returns true. + * They contain only the ones passed to this constructor and + * the current Policy will not be consulted. * * @param codesource the codesource associated with this domain * @param permissions the permissions granted to this domain @@ -170,9 +174,11 @@ * Permissions, ClassLoader and array of Principals. If the * permissions object is not null, then {@code setReadOnly()} * will be called on the passed in Permissions object. - * The permissions granted to this domain are dynamic; they include - * both the static permissions passed to this constructor, and any - * permissions granted to this domain by the current Policy at the + *

+ * The permissions granted to this domain are dynamic, i.e. + * invoking the {@link #staticPermissionsOnly()} method returns false. + * They include both the static permissions passed to this constructor, + * and any permissions granted to this domain by the current Policy at the * time a permission is checked. *

* This constructor is typically used by @@ -256,6 +262,19 @@ } /** + * Returns true if this domain contains only static permissions + * and does not check the current {@code Policy} at the time of + * permission checking. + * + * @return true if this domain contains only static permissions. + * + * @since 9 + */ + public final boolean staticPermissionsOnly() { + return this.staticPermissions; + } + + /** * Check and see if this ProtectionDomain implies the permissions * expressed in the Permission object. *

@@ -263,25 +282,19 @@ * ProtectionDomain was constructed with a static set of permissions * or it was bound to a dynamically mapped set of permissions. *

- * If the ProtectionDomain was constructed to a - * {@link #ProtectionDomain(CodeSource, PermissionCollection) - * statically bound} PermissionCollection then the permission will - * only be checked against the PermissionCollection supplied at - * construction. + * If the {@link #staticPermissionsOnly()} method returns + * true, then the permission will only be checked against the + * PermissionCollection supplied at construction. *

- * However, if the ProtectionDomain was constructed with - * the constructor variant which supports - * {@link #ProtectionDomain(CodeSource, PermissionCollection, - * ClassLoader, java.security.Principal[]) dynamically binding} - * permissions, then the permission will be checked against the - * combination of the PermissionCollection supplied at construction and + * Otherwise, the permission will be checked against the combination + * of the PermissionCollection supplied at construction and * the current Policy binding. * - * @param permission the Permission object to check. + * @param perm the Permission object to check. * - * @return true if "permission" is implicit to this ProtectionDomain. + * @return true if {@code perm} is implied by this ProtectionDomain. */ - public boolean implies(Permission permission) { + public boolean implies(Permission perm) { if (hasAllPerm) { // internal permission collection already has AllPermission - @@ -290,10 +303,10 @@ } if (!staticPermissions && - Policy.getPolicyNoCheck().implies(this, permission)) + Policy.getPolicyNoCheck().implies(this, perm)) return true; if (permissions != null) - return permissions.implies(permission); + return permissions.implies(perm); return false; } diff -r e3a56c19a668 -r 2d542b973871 jdk/src/java.base/share/classes/javax/security/auth/SubjectDomainCombiner.java --- a/jdk/src/java.base/share/classes/javax/security/auth/SubjectDomainCombiner.java Tue Jul 19 09:31:59 2016 -0700 +++ b/jdk/src/java.base/share/classes/javax/security/auth/SubjectDomainCombiner.java Wed Dec 23 02:36:57 2015 +0000 @@ -233,10 +233,15 @@ subjectPd = cachedPDs.getValue(pd); if (subjectPd == null) { - subjectPd = new ProtectionDomain(pd.getCodeSource(), + if (pd.staticPermissionsOnly()) { + // keep static ProtectionDomain objects static + subjectPd = pd; + } else { + subjectPd = new ProtectionDomain(pd.getCodeSource(), pd.getPermissions(), pd.getClassLoader(), principals); + } cachedPDs.putValue(pd, subjectPd); } else { allNew = false;