8021191: Add isAuthorized check to limited doPrivileged methods
Reviewed-by: weijun, xuelei
--- a/jdk/src/share/classes/java/security/AccessControlContext.java Mon Oct 14 14:28:50 2013 +0200
+++ b/jdk/src/share/classes/java/security/AccessControlContext.java Tue Oct 22 08:03:16 2013 -0400
@@ -350,6 +350,10 @@
return combiner;
}
+ boolean isAuthorized() {
+ return isAuthorized;
+ }
+
/**
* Determines whether the access request indicated by the
* specified permission should be allowed or denied, based on
--- a/jdk/src/share/classes/java/security/AccessController.java Mon Oct 14 14:28:50 2013 +0200
+++ b/jdk/src/share/classes/java/security/AccessController.java Tue Oct 22 08:03:16 2013 -0400
@@ -344,9 +344,10 @@
* If the action's {@code run} method throws an (unchecked) exception,
* it will propagate through this method.
* <p>
- * If a security manager is installed and the {@code AccessControlContext}
- * was not created by system code and the caller's {@code ProtectionDomain}
- * has not been granted the {@literal "createAccessControlContext"}
+ * If a security manager is installed and the specified
+ * {@code AccessControlContext} was not created by system code and the
+ * caller's {@code ProtectionDomain} has not been granted the
+ * {@literal "createAccessControlContext"}
* {@link java.security.SecurityPermission}, then the action is performed
* with no permissions.
*
@@ -384,6 +385,13 @@
* <p>
* If the action's {@code run} method throws an (unchecked) exception,
* it will propagate through this method.
+ * <p>
+ * If a security manager is installed and the specified
+ * {@code AccessControlContext} was not created by system code and the
+ * caller's {@code ProtectionDomain} has not been granted the
+ * {@literal "createAccessControlContext"}
+ * {@link java.security.SecurityPermission}, then the action is performed
+ * with no permissions.
*
* @param <T> the type of the value returned by the PrivilegedAction's
* {@code run} method.
@@ -438,6 +446,13 @@
*
* <p> This method preserves the current AccessControlContext's
* DomainCombiner (which may be null) while the action is performed.
+ * <p>
+ * If a security manager is installed and the specified
+ * {@code AccessControlContext} was not created by system code and the
+ * caller's {@code ProtectionDomain} has not been granted the
+ * {@literal "createAccessControlContext"}
+ * {@link java.security.SecurityPermission}, then the action is performed
+ * with no permissions.
*
* @param <T> the type of the value returned by the PrivilegedAction's
* {@code run} method.
@@ -571,8 +586,18 @@
AccessControlContext parent, AccessControlContext context,
Permission[] perms)
{
- return new AccessControlContext(getCallerPD(caller), combiner, parent,
- context, perms);
+ ProtectionDomain callerPD = getCallerPD(caller);
+ // check if caller is authorized to create context
+ if (context != null && !context.isAuthorized() &&
+ System.getSecurityManager() != null &&
+ !callerPD.impliesCreateAccessControlContext())
+ {
+ ProtectionDomain nullPD = new ProtectionDomain(null, null);
+ return new AccessControlContext(new ProtectionDomain[] { nullPD });
+ } else {
+ return new AccessControlContext(callerPD, combiner, parent,
+ context, perms);
+ }
}
private static ProtectionDomain getCallerPD(final Class <?> caller) {
@@ -597,9 +622,10 @@
* If the action's {@code run} method throws an <i>unchecked</i>
* exception, it will propagate through this method.
* <p>
- * If a security manager is installed and the {@code AccessControlContext}
- * was not created by system code and the caller's {@code ProtectionDomain}
- * has not been granted the {@literal "createAccessControlContext"}
+ * If a security manager is installed and the specified
+ * {@code AccessControlContext} was not created by system code and the
+ * caller's {@code ProtectionDomain} has not been granted the
+ * {@literal "createAccessControlContext"}
* {@link java.security.SecurityPermission}, then the action is performed
* with no permissions.
*
@@ -641,6 +667,13 @@
* <p>
* If the action's {@code run} method throws an (unchecked) exception,
* it will propagate through this method.
+ * <p>
+ * If a security manager is installed and the specified
+ * {@code AccessControlContext} was not created by system code and the
+ * caller's {@code ProtectionDomain} has not been granted the
+ * {@literal "createAccessControlContext"}
+ * {@link java.security.SecurityPermission}, then the action is performed
+ * with no permissions.
*
* @param <T> the type of the value returned by the
* PrivilegedExceptionAction's {@code run} method.
@@ -697,6 +730,13 @@
*
* <p> This method preserves the current AccessControlContext's
* DomainCombiner (which may be null) while the action is performed.
+ * <p>
+ * If a security manager is installed and the specified
+ * {@code AccessControlContext} was not created by system code and the
+ * caller's {@code ProtectionDomain} has not been granted the
+ * {@literal "createAccessControlContext"}
+ * {@link java.security.SecurityPermission}, then the action is performed
+ * with no permissions.
*
* @param <T> the type of the value returned by the
* PrivilegedExceptionAction's {@code run} method.