# HG changeset patch # User weijun # Date 1534257574 -28800 # Node ID 3c389a2843457506789323a885c703234dee08e0 # Parent c9150700bbd07e16ae0e2499d116afc65809653c 8209416: Refactoring GetPropertyAction calls in security libs Reviewed-by: xuelei, rriggs diff -r c9150700bbd0 -r 3c389a284345 src/java.base/share/classes/com/sun/security/ntlm/NTLM.java --- a/src/java.base/share/classes/com/sun/security/ntlm/NTLM.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.base/share/classes/com/sun/security/ntlm/NTLM.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,8 @@ package com.sun.security.ntlm; +import sun.security.action.GetBooleanAction; + import static com.sun.security.ntlm.Version.*; import java.io.IOException; import java.io.UnsupportedEncodingException; @@ -55,10 +57,8 @@ private final MessageDigest md4; private final Mac hmac; private final MessageDigest md5; - private static final boolean DEBUG = - java.security.AccessController.doPrivileged( - new sun.security.action.GetBooleanAction("ntlm.debug")) - .booleanValue(); + private static final boolean DEBUG + = GetBooleanAction.privilegedGetProperty("ntlm.debug"); final Version v; diff -r c9150700bbd0 -r 3c389a284345 src/java.base/share/classes/sun/security/action/GetBooleanAction.java --- a/src/java.base/share/classes/sun/security/action/GetBooleanAction.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.base/share/classes/sun/security/action/GetBooleanAction.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,8 @@ package sun.security.action; +import java.security.AccessController; + /** * A convenience class for retrieving the boolean value of a system property * as a privileged action. @@ -69,4 +71,25 @@ public Boolean run() { return Boolean.getBoolean(theProp); } + + /** + * Convenience method to get a property without going through doPrivileged + * if no security manager is present. This is unsafe for inclusion in a + * public API but allowable here since this class is now encapsulated. + * + * Note that this method performs a privileged action using caller-provided + * inputs. The caller of this method should take care to ensure that the + * inputs are not tainted and the returned property is not made accessible + * to untrusted code if it contains sensitive information. + * + * @param theProp the name of the system property. + */ + public static boolean privilegedGetProperty(String theProp) { + if (System.getSecurityManager() == null) { + return Boolean.getBoolean(theProp); + } else { + return AccessController.doPrivileged( + new GetBooleanAction(theProp)); + } + } } diff -r c9150700bbd0 -r 3c389a284345 src/java.base/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java --- a/src/java.base/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.base/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,9 +25,9 @@ package sun.security.internal.spec; +import sun.security.action.GetBooleanAction; + import java.security.spec.AlgorithmParameterSpec; -import java.security.AccessController; -import java.security.PrivilegedAction; /** * Parameters for SSL/TLS RSA premaster secret. @@ -51,25 +51,11 @@ * requested in its client hello version). However, we (and other * implementations) used to send the active negotiated version. The * system property below allows to toggle the behavior. - */ - private static final String PROP_NAME = - "com.sun.net.ssl.rsaPreMasterSecretFix"; - - /* * Default is "false" (old behavior) for compatibility reasons in * SSLv3/TLSv1. Later protocols (TLSv1.1+) do not use this property. */ - private static final boolean rsaPreMasterSecretFix = - AccessController.doPrivileged(new PrivilegedAction() { - public Boolean run() { - String value = System.getProperty(PROP_NAME); - if (value != null && value.equalsIgnoreCase("true")) { - return Boolean.TRUE; - } - - return Boolean.FALSE; - } - }); + private static final boolean rsaPreMasterSecretFix = GetBooleanAction + .privilegedGetProperty("com.sun.net.ssl.rsaPreMasterSecretFix"); private final int clientVersion; private final int serverVersion; diff -r c9150700bbd0 -r 3c389a284345 src/java.base/share/classes/sun/security/provider/certpath/Builder.java --- a/src/java.base/share/classes/sun/security/provider/certpath/Builder.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.base/share/classes/sun/security/provider/certpath/Builder.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -63,8 +63,8 @@ * Authority Information Access extension shall be enabled. Currently * disabled by default for compatibility reasons. */ - static final boolean USE_AIA = AccessController.doPrivileged - (new GetBooleanAction("com.sun.security.enableAIAcaIssuers")); + static final boolean USE_AIA = GetBooleanAction + .privilegedGetProperty("com.sun.security.enableAIAcaIssuers"); /** * Initialize the builder with the input parameters. diff -r c9150700bbd0 -r 3c389a284345 src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java --- a/src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java Tue Aug 14 22:39:34 2018 +0800 @@ -31,6 +31,8 @@ import java.util.Locale; import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSessionContext; + +import sun.security.action.GetPropertyAction; import sun.security.util.Cache; @@ -196,15 +198,9 @@ private static int getDefaultCacheLimit() { int defaultCacheLimit = 0; try { - String s = java.security.AccessController.doPrivileged( - new java.security.PrivilegedAction() { - @Override - public String run() { - return System.getProperty( - "javax.net.ssl.sessionCacheSize"); - } - }); - defaultCacheLimit = (s != null) ? Integer.parseInt(s) : 0; + String s = GetPropertyAction + .privilegedGetProperty("javax.net.ssl.sessionCacheSize"); + defaultCacheLimit = (s != null) ? Integer.parseInt(s) : 0; } catch (Exception e) { // swallow the exception } diff -r c9150700bbd0 -r 3c389a284345 src/java.base/share/classes/sun/security/ssl/StatusResponseManager.java --- a/src/java.base/share/classes/sun/security/ssl/StatusResponseManager.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.base/share/classes/sun/security/ssl/StatusResponseManager.java Tue Aug 14 22:39:34 2018 +0800 @@ -96,10 +96,10 @@ } defaultResponder = tmpURI; - respOverride = AccessController.doPrivileged( - new GetBooleanAction("jdk.tls.stapling.responderOverride")); - ignoreExtensions = AccessController.doPrivileged( - new GetBooleanAction("jdk.tls.stapling.ignoreExtensions")); + respOverride = GetBooleanAction + .privilegedGetProperty("jdk.tls.stapling.responderOverride"); + ignoreExtensions = GetBooleanAction + .privilegedGetProperty("jdk.tls.stapling.ignoreExtensions"); threadMgr = new ScheduledThreadPoolExecutor(DEFAULT_CORE_THREADS, new ThreadFactory() { diff -r c9150700bbd0 -r 3c389a284345 src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java --- a/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java Tue Aug 14 22:39:34 2018 +0800 @@ -482,8 +482,8 @@ // // If the System Property is not defined or the value is empty, the // default groups and preferences will be used. - String property = AccessController.doPrivileged( - new GetPropertyAction("jdk.tls.namedGroups")); + String property = GetPropertyAction + .privilegedGetProperty("jdk.tls.namedGroups"); if (property != null && property.length() != 0) { // remove double quote marks from beginning/end of the property if (property.length() > 1 && property.charAt(0) == '"' && diff -r c9150700bbd0 -r 3c389a284345 src/java.base/share/classes/sun/security/validator/PKIXValidator.java --- a/src/java.base/share/classes/sun/security/validator/PKIXValidator.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.base/share/classes/sun/security/validator/PKIXValidator.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -57,9 +57,8 @@ * manager. Typically, this will only work if the PKIX implementation * supports CRL distribution points as we do not manually setup CertStores. */ - private static final boolean checkTLSRevocation = - AccessController.doPrivileged - (new GetBooleanAction("com.sun.net.ssl.checkRevocation")); + private static final boolean checkTLSRevocation = GetBooleanAction + .privilegedGetProperty("com.sun.net.ssl.checkRevocation"); private final Set trustedCerts; private final PKIXBuilderParameters parameterTemplate; diff -r c9150700bbd0 -r 3c389a284345 src/java.base/share/classes/sun/security/x509/AVA.java --- a/src/java.base/share/classes/sun/security/x509/AVA.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.base/share/classes/sun/security/x509/AVA.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -64,9 +64,8 @@ // See CR 6391482: if enabled this flag preserves the old but incorrect // PrintableString encoding for DomainComponent. It may need to be set to // avoid breaking preexisting certificates generated with sun.security APIs. - private static final boolean PRESERVE_OLD_DC_ENCODING = - AccessController.doPrivileged(new GetBooleanAction - ("com.sun.security.preserveOldDCEncoding")); + private static final boolean PRESERVE_OLD_DC_ENCODING = GetBooleanAction + .privilegedGetProperty("com.sun.security.preserveOldDCEncoding"); /** * DEFAULT format allows both RFC1779 and RFC2253 syntax and diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java --- a/src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -34,6 +34,8 @@ import sun.net.www.protocol.http.HttpCallerInfo; import sun.net.www.protocol.http.Negotiator; +import sun.security.action.GetBooleanAction; +import sun.security.action.GetPropertyAction; import sun.security.jgss.GSSManagerImpl; import sun.security.jgss.GSSContextImpl; import sun.security.jgss.GSSUtil; @@ -50,8 +52,7 @@ public class NegotiatorImpl extends Negotiator { private static final boolean DEBUG = - java.security.AccessController.doPrivileged( - new sun.security.action.GetBooleanAction("sun.security.krb5.debug")); + GetBooleanAction.privilegedGetProperty("sun.security.krb5.debug"); private GSSContext context; private byte[] oneToken; @@ -71,14 +72,8 @@ // we can only use Kerberos mech when the scheme is kerberos oid = GSSUtil.GSS_KRB5_MECH_OID; } else { - String pref = java.security.AccessController.doPrivileged( - new java.security.PrivilegedAction() { - public String run() { - return System.getProperty( - "http.auth.preference", - "spnego"); - } - }); + String pref = GetPropertyAction + .privilegedGetProperty("http.auth.preference", "spnego"); if (pref.equalsIgnoreCase("kerberos")) { oid = GSSUtil.GSS_KRB5_MECH_OID; } else { diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/jgss/GSSManagerImpl.java --- a/src/java.security.jgss/share/classes/sun/security/jgss/GSSManagerImpl.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/jgss/GSSManagerImpl.java Tue Aug 14 22:39:34 2018 +0800 @@ -26,10 +26,9 @@ package sun.security.jgss; import org.ietf.jgss.*; +import sun.security.action.GetBooleanAction; import sun.security.jgss.spi.*; import java.security.Provider; -import java.security.AccessController; -import java.security.PrivilegedAction; /** * This class provides the default implementation of the GSSManager @@ -38,20 +37,8 @@ public class GSSManagerImpl extends GSSManager { // Undocumented property - private static final String USE_NATIVE_PROP = - "sun.security.jgss.native"; - private static final Boolean USE_NATIVE; - - static { - USE_NATIVE = - AccessController.doPrivileged(new PrivilegedAction() { - public Boolean run() { - return Boolean.valueOf(System.getProperty - (USE_NATIVE_PROP)); - } - }); - - } + private static final Boolean USE_NATIVE = GetBooleanAction + .privilegedGetProperty("sun.security.jgss.native"); private ProviderList list; diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/jgss/GSSUtil.java --- a/src/java.security.jgss/share/classes/sun/security/jgss/GSSUtil.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/jgss/GSSUtil.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -68,15 +68,8 @@ public static final Oid NT_GSS_KRB5_PRINCIPAL = GSSUtil.createOid("1.2.840.113554.1.2.2.1"); - private static final String DEFAULT_HANDLER = - "auth.login.defaultCallbackHandler"; - - static final boolean DEBUG; - static { - DEBUG = (AccessController.doPrivileged - (new GetBooleanAction("sun.security.jgss.debug"))). - booleanValue(); - } + static final boolean DEBUG = + GetBooleanAction.privilegedGetProperty("sun.security.jgss.debug"); static void debug(String message) { if (DEBUG) { @@ -240,8 +233,8 @@ cb = new sun.net.www.protocol.http.spnego.NegotiateCallbackHandler( ((HttpCaller)caller).info()); } else { - String defaultHandler = - java.security.Security.getProperty(DEFAULT_HANDLER); + String defaultHandler = java.security.Security + .getProperty("auth.login.defaultCallbackHandler"); // get the default callback handler if ((defaultHandler != null) && (defaultHandler.length() != 0)) { cb = null; @@ -270,8 +263,8 @@ */ public static boolean useSubjectCredsOnly(GSSCaller caller) { - String propValue = GetPropertyAction.privilegedGetProperty( - "javax.security.auth.useSubjectCredsOnly"); + String propValue = GetPropertyAction + .privilegedGetProperty("javax.security.auth.useSubjectCredsOnly"); // Invalid values should be ignored and the default assumed. if (caller instanceof HttpCaller) { @@ -295,9 +288,8 @@ * Don't use GetBooleanAction because the default value in the JRE * (when this is unset) has to treated as true. */ - String propValue = AccessController.doPrivileged( - new GetPropertyAction("sun.security.spnego.msinterop", - "true")); + String propValue = GetPropertyAction + .privilegedGetProperty("sun.security.spnego.msinterop", "true"); /* * This property has to be explicitly set to "false". Invalid * values should be ignored and the default "true" assumed. diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/jgss/ProviderList.java --- a/src/java.security.jgss/share/classes/sun/security/jgss/ProviderList.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/jgss/ProviderList.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,6 @@ import java.lang.reflect.InvocationTargetException; import org.ietf.jgss.*; -import java.security.AccessController; import java.security.Provider; import java.security.Security; import java.util.ArrayList; @@ -93,10 +92,6 @@ private static final String SPI_MECH_FACTORY_TYPE = "sun.security.jgss.spi.MechanismFactory"; - // Undocumented property? - private static final String DEFAULT_MECH_PROP = - "sun.security.jgss.mechanism"; - public static final Oid DEFAULT_MECH_OID; static { @@ -106,8 +101,8 @@ * with a valid OID value */ Oid defOid = null; - String defaultOidStr = AccessController.doPrivileged - (new GetPropertyAction(DEFAULT_MECH_PROP)); + String defaultOidStr = GetPropertyAction + .privilegedGetProperty("sun.security.jgss.mechanism"); if (defaultOidStr != null) { defOid = GSSUtil.createOid(defaultOidStr); } diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/jgss/krb5/AcceptSecContextToken.java --- a/src/java.security.jgss/share/classes/sun/security/jgss/krb5/AcceptSecContextToken.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/jgss/krb5/AcceptSecContextToken.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,6 @@ import org.ietf.jgss.*; import java.io.InputStream; import java.io.IOException; -import java.security.AccessController; import sun.security.action.GetBooleanAction; import sun.security.krb5.*; @@ -45,8 +44,8 @@ KrbApReq apReq) throws KrbException, IOException, GSSException { - boolean useSubkey = AccessController.doPrivileged( - new GetBooleanAction("sun.security.krb5.acceptor.subkey")); + boolean useSubkey = GetBooleanAction + .privilegedGetProperty("sun.security.krb5.acceptor.subkey"); boolean useSequenceNumber = true; diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Util.java --- a/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Util.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Util.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,12 +26,13 @@ package sun.security.jgss.krb5; import javax.security.auth.kerberos.KerberosTicket; -import javax.security.auth.kerberos.KerberosKey; import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.kerberos.KeyTab; import javax.security.auth.Subject; import javax.security.auth.login.LoginException; import java.security.AccessControlContext; + +import sun.security.action.GetBooleanAction; import sun.security.jgss.GSSUtil; import sun.security.jgss.GSSCaller; @@ -39,20 +40,16 @@ import sun.security.krb5.EncryptionKey; import sun.security.krb5.KrbException; import java.io.IOException; -import java.util.ArrayList; -import java.util.List; import sun.security.krb5.KerberosSecrets; import sun.security.krb5.PrincipalName; + /** * Utilities for obtaining and converting Kerberos tickets. - * */ public class Krb5Util { - static final boolean DEBUG = - java.security.AccessController.doPrivileged( - new sun.security.action.GetBooleanAction - ("sun.security.krb5.debug")).booleanValue(); + static final boolean DEBUG = GetBooleanAction + .privilegedGetProperty("sun.security.krb5.debug"); /** * Default constructor diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/jgss/spnego/SpNegoContext.java --- a/src/java.security.jgss/share/classes/sun/security/jgss/spnego/SpNegoContext.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/jgss/spnego/SpNegoContext.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,6 +28,7 @@ import java.io.*; import java.security.Provider; import org.ietf.jgss.*; +import sun.security.action.GetBooleanAction; import sun.security.jgss.*; import sun.security.jgss.spi.*; import sun.security.util.*; @@ -81,10 +82,8 @@ final private SpNegoMechFactory factory; // debug property - static final boolean DEBUG = - java.security.AccessController.doPrivileged( - new sun.security.action.GetBooleanAction - ("sun.security.spnego.debug")).booleanValue(); + static final boolean DEBUG = GetBooleanAction + .privilegedGetProperty("sun.security.spnego.debug"); /** * Constructor for SpNegoContext to be called on the context initiator's diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/jgss/wrapper/SunNativeProvider.java --- a/src/java.security.jgss/share/classes/sun/security/jgss/wrapper/SunNativeProvider.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/jgss/wrapper/SunNativeProvider.java Tue Aug 14 22:39:34 2018 +0800 @@ -51,8 +51,6 @@ private static final String INFO = "Sun Native GSS provider"; private static final String MF_CLASS = "sun.security.jgss.wrapper.NativeGSSFactory"; - private static final String LIB_PROP = "sun.security.jgss.lib"; - private static final String DEBUG_PROP = "sun.security.nativegss.debug"; private static final HashMap MECH_MAP; static final Provider INSTANCE; static boolean DEBUG; @@ -70,8 +68,8 @@ AccessController.doPrivileged( new PrivilegedAction>() { public HashMap run() { - DEBUG = Boolean.parseBoolean - (System.getProperty(DEBUG_PROP)); + DEBUG = Boolean.parseBoolean( + System.getProperty("sun.security.nativegss.debug")); try { System.loadLibrary("j2gss"); } catch (Error err) { @@ -80,7 +78,8 @@ return null; } String[] gssLibs = new String[0]; - String defaultLib = System.getProperty(LIB_PROP); + String defaultLib + = System.getProperty("sun.security.jgss.lib"); if (defaultLib == null || defaultLib.trim().equals("")) { String osname = System.getProperty("os.name"); if (osname.startsWith("SunOS")) { diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/krb5/Config.java --- a/src/java.security.jgss/share/classes/sun/security/krb5/Config.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/krb5/Config.java Tue Aug 14 22:39:34 2018 +0800 @@ -45,6 +45,7 @@ import java.util.regex.Pattern; import sun.net.dns.ResolverConfiguration; +import sun.security.action.GetPropertyAction; import sun.security.krb5.internal.crypto.EType; import sun.security.krb5.internal.Krb5; @@ -122,12 +123,12 @@ private static boolean isMacosLionOrBetter() { // split the "10.x.y" version number - String osname = getProperty("os.name"); + String osname = GetPropertyAction.privilegedGetProperty("os.name"); if (!osname.contains("OS X")) { return false; } - String osVersion = getProperty("os.version"); + String osVersion = GetPropertyAction.privilegedGetProperty("os.version"); String[] fragments = osVersion.split("\\."); // sanity check the "10." part of the version @@ -152,14 +153,16 @@ /* * If either one system property is specified, we throw exception. */ - String tmp = getProperty("java.security.krb5.kdc"); + String tmp = GetPropertyAction + .privilegedGetProperty("java.security.krb5.kdc"); if (tmp != null) { // The user can specify a list of kdc hosts separated by ":" defaultKDC = tmp.replace(':', ' '); } else { defaultKDC = null; } - defaultRealm = getProperty("java.security.krb5.realm"); + defaultRealm = GetPropertyAction + .privilegedGetProperty("java.security.krb5.realm"); if ((defaultKDC == null && defaultRealm != null) || (defaultRealm == null && defaultKDC != null)) { throw new KrbException @@ -818,11 +821,12 @@ * The method returns null if it cannot find a Java config file. */ private String getJavaFileName() { - String name = getProperty("java.security.krb5.conf"); + String name = GetPropertyAction + .privilegedGetProperty("java.security.krb5.conf"); if (name == null) { - name = getProperty("java.home") + File.separator + - "conf" + File.separator + "security" + - File.separator + "krb5.conf"; + name = GetPropertyAction.privilegedGetProperty("java.home") + + File.separator + "conf" + File.separator + "security" + + File.separator + "krb5.conf"; if (!fileExists(name)) { name = null; } @@ -852,7 +856,7 @@ */ private String getNativeFileName() { String name = null; - String osname = getProperty("os.name"); + String osname = GetPropertyAction.privilegedGetProperty("os.name"); if (osname.startsWith("Windows")) { try { Credentials.ensureLoaded(); @@ -899,13 +903,8 @@ return name; } - private static String getProperty(String property) { - return java.security.AccessController.doPrivileged( - new sun.security.action.GetPropertyAction(property)); - } - private String findMacosConfigFile() { - String userHome = getProperty("user.home"); + String userHome = GetPropertyAction.privilegedGetProperty("user.home"); final String PREF_FILE = "/Library/Preferences/edu.mit.Kerberos"; String userPrefs = userHome + PREF_FILE; diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/krb5/Credentials.java --- a/src/java.security.jgss/share/classes/sun/security/krb5/Credentials.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/krb5/Credentials.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,6 +31,7 @@ package sun.security.krb5; +import sun.security.action.GetPropertyAction; import sun.security.krb5.internal.*; import sun.security.krb5.internal.ccache.CredentialsCache; import sun.security.krb5.internal.crypto.EType; @@ -288,8 +289,7 @@ if (ticketCache == null) { // The default ticket cache on Windows and Mac is not a file. - String os = java.security.AccessController.doPrivileged( - new sun.security.action.GetPropertyAction("os.name")); + String os = GetPropertyAction.privilegedGetProperty("os.name"); if (os.toUpperCase(Locale.ENGLISH).startsWith("WINDOWS") || os.toUpperCase(Locale.ENGLISH).contains("OS X")) { Credentials creds = acquireDefaultCreds(); diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/krb5/KdcComm.java --- a/src/java.security.jgss/share/classes/sun/security/krb5/KdcComm.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/krb5/KdcComm.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -74,8 +74,6 @@ private static final boolean DEBUG = Krb5.DEBUG; - private static final String BAD_POLICY_KEY = "krb5.kdc.bad.policy"; - /** * What to do when a KDC is unavailable, specified in the * java.security file with key krb5.kdc.bad.policy. @@ -100,7 +98,7 @@ String value = AccessController.doPrivileged( new PrivilegedAction() { public String run() { - return Security.getProperty(BAD_POLICY_KEY); + return Security.getProperty("krb5.kdc.bad.policy"); } }); if (value != null) { @@ -120,7 +118,7 @@ // Ignored. Please note that tryLess is recognized and // used, parameters using default values if (DEBUG) { - System.out.println("Invalid " + BAD_POLICY_KEY + + System.out.println("Invalid krb5.kdc.bad.policy" + " parameter for tryLess: " + value + ", use default"); } diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/krb5/Realm.java --- a/src/java.security.jgss/share/classes/sun/security/krb5/Realm.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/krb5/Realm.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,6 +31,7 @@ package sun.security.krb5; +import sun.security.action.GetBooleanAction; import sun.security.krb5.internal.Krb5; import sun.security.util.*; import java.io.IOException; @@ -47,10 +48,8 @@ */ public class Realm implements Cloneable { - public static final boolean AUTODEDUCEREALM = - java.security.AccessController.doPrivileged( - new sun.security.action.GetBooleanAction( - "sun.security.krb5.autodeducerealm")); + public static final boolean AUTODEDUCEREALM = GetBooleanAction + .privilegedGetProperty("sun.security.krb5.autodeducerealm"); private final String realm; // not null nor empty diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/krb5/internal/Krb5.java --- a/src/java.security.jgss/share/classes/sun/security/krb5/internal/Krb5.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/krb5/internal/Krb5.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,6 +31,8 @@ package sun.security.krb5.internal; +import sun.security.action.GetBooleanAction; + import java.util.Hashtable; // Constants and other defined values from RFC 4120 @@ -303,9 +305,9 @@ } - public static final boolean DEBUG = - java.security.AccessController.doPrivileged( - new sun.security.action.GetBooleanAction("sun.security.krb5.debug")); + public static final boolean DEBUG = GetBooleanAction + .privilegedGetProperty("sun.security.krb5.debug"); + public static final sun.security.util.HexDumpEncoder hexDumper = new sun.security.util.HexDumpEncoder(); diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/krb5/internal/ReplayCache.java --- a/src/java.security.jgss/share/classes/sun/security/krb5/internal/ReplayCache.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/krb5/internal/ReplayCache.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -30,8 +30,6 @@ import sun.security.krb5.internal.rcache.MemoryCache; import sun.security.krb5.internal.rcache.DflCache; -import java.security.AccessController; - /** * Models the replay cache of an acceptor as described in * RFC 4120 3.2.3. @@ -56,8 +54,8 @@ } } public static ReplayCache getInstance() { - String type = AccessController.doPrivileged( - new GetPropertyAction("sun.security.krb5.rcache")); + String type = GetPropertyAction + .privilegedGetProperty("sun.security.krb5.rcache"); return getInstance(type); } diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java --- a/src/java.security.jgss/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,6 +33,7 @@ */ package sun.security.krb5.internal.ccache; +import sun.security.action.GetPropertyAction; import sun.security.krb5.*; import sun.security.krb5.internal.*; import java.util.StringTokenizer; @@ -381,9 +382,7 @@ } // get cache name from system.property - String osname = - java.security.AccessController.doPrivileged( - new sun.security.action.GetPropertyAction("os.name")); + String osname = GetPropertyAction.privilegedGetProperty("os.name"); /* * For Unix platforms we use the default cache name to be @@ -417,18 +416,12 @@ // we did not get the uid; - String user_name = - java.security.AccessController.doPrivileged( - new sun.security.action.GetPropertyAction("user.name")); + String user_name = GetPropertyAction.privilegedGetProperty("user.name"); - String user_home = - java.security.AccessController.doPrivileged( - new sun.security.action.GetPropertyAction("user.home")); + String user_home = GetPropertyAction.privilegedGetProperty("user.home"); if (user_home == null) { - user_home = - java.security.AccessController.doPrivileged( - new sun.security.action.GetPropertyAction("user.dir")); + user_home = GetPropertyAction.privilegedGetProperty("user.dir"); } if (user_name != null) { diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/Des.java --- a/src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/Des.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/Des.java Tue Aug 14 22:39:34 2018 +0800 @@ -53,9 +53,8 @@ // string-to-key encoding. When set, the specified charset // name is used. Otherwise, the system default charset. - private final static String CHARSET = - java.security.AccessController.doPrivileged( - new GetPropertyAction("sun.security.krb5.msinterop.des.s2kcharset")); + private final static String CHARSET = GetPropertyAction + .privilegedGetProperty("sun.security.krb5.msinterop.des.s2kcharset"); private static final long[] bad_keys = { 0x0101010101010101L, 0xfefefefefefefefeL, diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java --- a/src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,6 +31,7 @@ package sun.security.krb5.internal.ktab; +import sun.security.action.GetPropertyAction; import sun.security.krb5.*; import sun.security.krb5.internal.*; import sun.security.krb5.internal.crypto.*; @@ -203,14 +204,12 @@ } if (kname == null) { - String user_home = - java.security.AccessController.doPrivileged( - new sun.security.action.GetPropertyAction("user.home")); + String user_home = GetPropertyAction + .privilegedGetProperty("user.home"); if (user_home == null) { - user_home = - java.security.AccessController.doPrivileged( - new sun.security.action.GetPropertyAction("user.dir")); + user_home = GetPropertyAction + .privilegedGetProperty("user.dir"); } kname = user_home + File.separator + "krb5.keytab"; diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/krb5/internal/rcache/AuthTimeWithHash.java --- a/src/java.security.jgss/share/classes/sun/security/krb5/internal/rcache/AuthTimeWithHash.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/krb5/internal/rcache/AuthTimeWithHash.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,7 +25,7 @@ package sun.security.krb5.internal.rcache; -import sun.security.action.GetPropertyAction; +import sun.security.action.GetBooleanAction; import java.util.Objects; @@ -40,8 +40,7 @@ public static final String DEFAULT_HASH_ALG; static { - if (GetPropertyAction.privilegedGetProperty( - "jdk.krb5.rcache.useMD5", "false").equals("true")) { + if (GetBooleanAction.privilegedGetProperty("jdk.krb5.rcache.useMD5")) { DEFAULT_HASH_ALG = "HASH"; } else { DEFAULT_HASH_ALG = "SHA256"; diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/krb5/internal/rcache/DflCache.java --- a/src/java.security.jgss/share/classes/sun/security/krb5/internal/rcache/DflCache.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/krb5/internal/rcache/DflCache.java Tue Aug 14 22:39:34 2018 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -36,7 +36,6 @@ import java.nio.file.StandardCopyOption; import java.nio.file.StandardOpenOption; import java.nio.file.attribute.PosixFilePermission; -import java.security.AccessController; import java.util.*; import sun.security.action.GetPropertyAction; @@ -117,8 +116,7 @@ } private static String defaultPath() { - return AccessController.doPrivileged( - new GetPropertyAction("java.io.tmpdir")); + return GetPropertyAction.privilegedGetProperty("java.io.tmpdir"); } private static String defaultFile(String server) { diff -r c9150700bbd0 -r 3c389a284345 src/java.security.jgss/share/classes/sun/security/krb5/internal/util/KerberosString.java --- a/src/java.security.jgss/share/classes/sun/security/krb5/internal/util/KerberosString.java Tue Aug 14 14:28:23 2018 +0200 +++ b/src/java.security.jgss/share/classes/sun/security/krb5/internal/util/KerberosString.java Tue Aug 14 22:39:34 2018 +0800 @@ -55,8 +55,8 @@ public static final boolean MSNAME; static { - String prop = GetPropertyAction.privilegedGetProperty( - "sun.security.krb5.msinterop.kstring", "true"); + String prop = GetPropertyAction + .privilegedGetProperty("sun.security.krb5.msinterop.kstring", "true"); MSNAME = Boolean.parseBoolean(prop); }