8030655: Regression: 14_01 Security fix 8024306 causes test failures
Reviewed-by: mullan, xuelei, ahgross
--- a/jdk/src/share/classes/javax/security/auth/Subject.java Mon Nov 25 15:00:36 2013 +0800
+++ b/jdk/src/share/classes/javax/security/auth/Subject.java Wed Jan 15 11:23:07 2014 +0800
@@ -959,14 +959,30 @@
/**
* Reads this object from a stream (i.e., deserializes it)
*/
+ @SuppressWarnings("unchecked")
private void readObject(java.io.ObjectInputStream s)
throws java.io.IOException, ClassNotFoundException {
- s.defaultReadObject();
+ ObjectInputStream.GetField gf = s.readFields();
+
+ readOnly = gf.get("readOnly", false);
+
+ Set<Principal> inputPrincs = (Set<Principal>)gf.get("principals", null);
// Rewrap the principals into a SecureSet
- principals = Collections.synchronizedSet(new SecureSet<Principal>
- (this, PRINCIPAL_SET, principals));
+ if (inputPrincs == null) {
+ throw new NullPointerException
+ (ResourcesMgr.getString("invalid.null.input.s."));
+ }
+ try {
+ principals = Collections.synchronizedSet(new SecureSet<Principal>
+ (this, PRINCIPAL_SET, inputPrincs));
+ } catch (NullPointerException npe) {
+ // Sometimes people deserialize the principals set only.
+ // Subject is not accessible, so just don't fail.
+ principals = Collections.synchronizedSet
+ (new SecureSet<Principal>(this, PRINCIPAL_SET));
+ }
// The Credential {@code Set} is not serialized, but we do not
// want the default deserialization routine to set it to null.