8008908: Access denied when invoking Subject.doAsPrivileged()
authormullan
Fri, 01 Mar 2013 16:12:50 -0500
changeset 16046 c65f0f54851c
parent 16043 0c9424895efb
child 16047 d9d63a853848
8008908: Access denied when invoking Subject.doAsPrivileged() Summary: wildcard principal names are not processed correctly Reviewed-by: xuelei
jdk/src/share/classes/sun/security/provider/PolicyFile.java
jdk/test/sun/security/provider/PolicyFile/WildcardPrincipalName.java
jdk/test/sun/security/provider/PolicyFile/wildcard.policy
--- a/jdk/src/share/classes/sun/security/provider/PolicyFile.java	Thu Feb 28 12:39:29 2013 +0000
+++ b/jdk/src/share/classes/sun/security/provider/PolicyFile.java	Fri Mar 01 16:12:50 2013 -0500
@@ -1336,10 +1336,9 @@
 
             if (pppe.isWildcardName()) {
                 // a wildcard name matches any principal with the same class
-                for (Principal p : principals) {
-                    if (pppe.principalClass.equals(p.getClass().getName())) {
-                        continue;
-                    }
+                if (wildcardPrincipalNameImplies(pppe.principalClass,
+                                                 principals)) {
+                    continue;
                 }
                 if (debug != null) {
                     debug.println("evaluation (principal name wildcard) failed");
@@ -1414,6 +1413,21 @@
         addPerms(perms, principals, entry);
     }
 
+    /**
+     * Returns true if the array of principals contains at least one
+     * principal of the specified class.
+     */
+    private static boolean wildcardPrincipalNameImplies(String principalClass,
+                                                        Principal[] principals)
+    {
+        for (Principal p : principals) {
+            if (principalClass.equals(p.getClass().getName())) {
+                return true;
+            }
+        }
+        return false;
+    }
+
     private void addPerms(Permissions perms,
                         Principal[] accPs,
                         PolicyEntry entry) {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/provider/PolicyFile/WildcardPrincipalName.java	Fri Mar 01 16:12:50 2013 -0500
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8008908
+ * @summary wildcard principal names are not processed correctly
+ * @run main/othervm/policy=wildcard.policy WildcardPrincipalName
+ */
+
+import java.security.AccessController;
+import java.security.Permission;
+import java.security.Principal;
+import java.security.PrivilegedAction;
+import java.util.HashSet;
+import java.util.PropertyPermission;
+import java.util.Set;
+import javax.security.auth.Subject;
+import javax.security.auth.x500.X500Principal;
+
+public class WildcardPrincipalName {
+
+    public static void main(String[] args) throws Exception {
+
+        X500Principal duke = new X500Principal("CN=Duke");
+        PropertyPermission pp = new PropertyPermission("user.home", "read");
+        RunAsPrivilegedUserAction runAsPrivilegedUserAction
+            = new RunAsPrivilegedUserAction(duke,
+                                            new CheckPermissionAction(pp));
+        AccessController.doPrivileged(runAsPrivilegedUserAction);
+        System.out.println("test PASSED");
+    }
+
+    private static class RunAsPrivilegedUserAction
+        implements PrivilegedAction<Void> {
+        private final PrivilegedAction<Void> action;
+        private final Principal principal;
+
+        RunAsPrivilegedUserAction(Principal principal,
+                                  PrivilegedAction<Void> action) {
+            this.principal = principal;
+            this.action = action;
+        }
+
+        @Override public Void run() {
+            Set<Principal> principals = new HashSet<>();
+            Set<Object> publicCredentials = new HashSet<>();
+            Set<Object> privateCredentials = new HashSet<>();
+
+            principals.add(principal);
+            Subject subject = new Subject(true,
+                                          principals,
+                                          publicCredentials,
+                                          privateCredentials);
+
+            Subject.doAsPrivileged(subject, action, null);
+            return null;
+        }
+    }
+
+    private static class CheckPermissionAction
+        implements PrivilegedAction<Void> {
+        private final Permission permission;
+
+        CheckPermissionAction(Permission permission) {
+            this.permission = permission;
+        }
+
+        @Override public Void run() {
+            AccessController.checkPermission(permission);
+            return null;
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/provider/PolicyFile/wildcard.policy	Fri Mar 01 16:12:50 2013 -0500
@@ -0,0 +1,7 @@
+grant principal javax.security.auth.x500.X500Principal * {
+  permission java.util.PropertyPermission "user.home", "read";
+};
+
+grant {
+  permission javax.security.auth.AuthPermission "doAsPrivileged";
+};