8021191: Add isAuthorized check to limited doPrivileged methods
authormullan
Tue, 22 Oct 2013 08:03:16 -0400
changeset 21321 923ca53e6572
parent 20784 c0864e216d36
child 21322 10b9b204a16a
8021191: Add isAuthorized check to limited doPrivileged methods Reviewed-by: weijun, xuelei
jdk/src/share/classes/java/security/AccessControlContext.java
jdk/src/share/classes/java/security/AccessController.java
--- a/jdk/src/share/classes/java/security/AccessControlContext.java	Mon Oct 14 14:28:50 2013 +0200
+++ b/jdk/src/share/classes/java/security/AccessControlContext.java	Tue Oct 22 08:03:16 2013 -0400
@@ -350,6 +350,10 @@
         return combiner;
     }
 
+    boolean isAuthorized() {
+        return isAuthorized;
+    }
+
     /**
      * Determines whether the access request indicated by the
      * specified permission should be allowed or denied, based on
--- a/jdk/src/share/classes/java/security/AccessController.java	Mon Oct 14 14:28:50 2013 +0200
+++ b/jdk/src/share/classes/java/security/AccessController.java	Tue Oct 22 08:03:16 2013 -0400
@@ -344,9 +344,10 @@
      * If the action's {@code run} method throws an (unchecked) exception,
      * it will propagate through this method.
      * <p>
-     * If a security manager is installed and the {@code AccessControlContext}
-     * was not created by system code and the caller's {@code ProtectionDomain}
-     * has not been granted the {@literal "createAccessControlContext"}
+     * If a security manager is installed and the specified
+     * {@code AccessControlContext} was not created by system code and the
+     * caller's {@code ProtectionDomain} has not been granted the
+     * {@literal "createAccessControlContext"}
      * {@link java.security.SecurityPermission}, then the action is performed
      * with no permissions.
      *
@@ -384,6 +385,13 @@
      * <p>
      * If the action's {@code run} method throws an (unchecked) exception,
      * it will propagate through this method.
+     * <p>
+     * If a security manager is installed and the specified
+     * {@code AccessControlContext} was not created by system code and the
+     * caller's {@code ProtectionDomain} has not been granted the
+     * {@literal "createAccessControlContext"}
+     * {@link java.security.SecurityPermission}, then the action is performed
+     * with no permissions.
      *
      * @param <T> the type of the value returned by the PrivilegedAction's
      *                  {@code run} method.
@@ -438,6 +446,13 @@
      *
      * <p> This method preserves the current AccessControlContext's
      * DomainCombiner (which may be null) while the action is performed.
+     * <p>
+     * If a security manager is installed and the specified
+     * {@code AccessControlContext} was not created by system code and the
+     * caller's {@code ProtectionDomain} has not been granted the
+     * {@literal "createAccessControlContext"}
+     * {@link java.security.SecurityPermission}, then the action is performed
+     * with no permissions.
      *
      * @param <T> the type of the value returned by the PrivilegedAction's
      *                  {@code run} method.
@@ -571,8 +586,18 @@
                       AccessControlContext parent, AccessControlContext context,
                       Permission[] perms)
     {
-        return new AccessControlContext(getCallerPD(caller), combiner, parent,
-                                        context, perms);
+        ProtectionDomain callerPD = getCallerPD(caller);
+        // check if caller is authorized to create context
+        if (context != null && !context.isAuthorized() &&
+            System.getSecurityManager() != null &&
+            !callerPD.impliesCreateAccessControlContext())
+        {
+            ProtectionDomain nullPD = new ProtectionDomain(null, null);
+            return new AccessControlContext(new ProtectionDomain[] { nullPD });
+        } else {
+            return new AccessControlContext(callerPD, combiner, parent,
+                                            context, perms);
+        }
     }
 
     private static ProtectionDomain getCallerPD(final Class <?> caller) {
@@ -597,9 +622,10 @@
      * If the action's {@code run} method throws an <i>unchecked</i>
      * exception, it will propagate through this method.
      * <p>
-     * If a security manager is installed and the {@code AccessControlContext}
-     * was not created by system code and the caller's {@code ProtectionDomain}
-     * has not been granted the {@literal "createAccessControlContext"}
+     * If a security manager is installed and the specified
+     * {@code AccessControlContext} was not created by system code and the
+     * caller's {@code ProtectionDomain} has not been granted the
+     * {@literal "createAccessControlContext"}
      * {@link java.security.SecurityPermission}, then the action is performed
      * with no permissions.
      *
@@ -641,6 +667,13 @@
      * <p>
      * If the action's {@code run} method throws an (unchecked) exception,
      * it will propagate through this method.
+     * <p>
+     * If a security manager is installed and the specified
+     * {@code AccessControlContext} was not created by system code and the
+     * caller's {@code ProtectionDomain} has not been granted the
+     * {@literal "createAccessControlContext"}
+     * {@link java.security.SecurityPermission}, then the action is performed
+     * with no permissions.
      *
      * @param <T> the type of the value returned by the
      *                  PrivilegedExceptionAction's {@code run} method.
@@ -697,6 +730,13 @@
      *
      * <p> This method preserves the current AccessControlContext's
      * DomainCombiner (which may be null) while the action is performed.
+     * <p>
+     * If a security manager is installed and the specified
+     * {@code AccessControlContext} was not created by system code and the
+     * caller's {@code ProtectionDomain} has not been granted the
+     * {@literal "createAccessControlContext"}
+     * {@link java.security.SecurityPermission}, then the action is performed
+     * with no permissions.
      *
      * @param <T> the type of the value returned by the
      *                  PrivilegedExceptionAction's {@code run} method.