--- a/jdk/src/share/classes/javax/security/auth/Policy.java Tue Oct 22 12:33:33 2013 +0100
+++ b/jdk/src/share/classes/javax/security/auth/Policy.java Tue Oct 22 14:55:19 2013 +0100
@@ -26,6 +26,10 @@
package javax.security.auth;
import java.security.Security;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.security.PrivilegedExceptionAction;
+import java.util.Objects;
import sun.security.util.Debug;
/**
@@ -155,22 +159,15 @@
public abstract class Policy {
private static Policy policy;
- private static ClassLoader contextClassLoader;
private final static String AUTH_POLICY =
"sun.security.provider.AuthPolicyFile";
+ private final java.security.AccessControlContext acc =
+ java.security.AccessController.getContext();
+
// true if a custom (not AUTH_POLICY) system-wide policy object is set
private static boolean isCustomPolicy;
- static {
- contextClassLoader = java.security.AccessController.doPrivileged
- (new java.security.PrivilegedAction<ClassLoader>() {
- public ClassLoader run() {
- return Thread.currentThread().getContextClassLoader();
- }
- });
- };
-
/**
* Sole constructor. (For invocation by subclass constructors, typically
* implicit.)
@@ -213,8 +210,8 @@
if (policy == null) {
String policy_class = null;
- policy_class = java.security.AccessController.doPrivileged
- (new java.security.PrivilegedAction<String>() {
+ policy_class = AccessController.doPrivileged
+ (new PrivilegedAction<String>() {
public String run() {
return java.security.Security.getProperty
("auth.policy.provider");
@@ -226,18 +223,28 @@
try {
final String finalClass = policy_class;
- policy = java.security.AccessController.doPrivileged
- (new java.security.PrivilegedExceptionAction<Policy>() {
- public Policy run() throws ClassNotFoundException,
- InstantiationException,
- IllegalAccessException {
- return (Policy) Class.forName
- (finalClass,
- true,
- contextClassLoader).newInstance();
- }
- });
- isCustomPolicy = !finalClass.equals(AUTH_POLICY);
+
+ Policy untrustedImpl = AccessController.doPrivileged(
+ new PrivilegedExceptionAction<Policy>() {
+ public Policy run() throws ClassNotFoundException,
+ InstantiationException,
+ IllegalAccessException {
+ Class<? extends Policy> implClass = Class.forName(
+ finalClass, false,
+ Thread.currentThread().getContextClassLoader()
+ ).asSubclass(Policy.class);
+ return implClass.newInstance();
+ }
+ });
+ AccessController.doPrivileged(
+ new PrivilegedExceptionAction<Void>() {
+ public Void run() {
+ setPolicy(untrustedImpl);
+ isCustomPolicy = !finalClass.equals(AUTH_POLICY);
+ return null;
+ }
+ }, Objects.requireNonNull(untrustedImpl.acc)
+ );
} catch (Exception e) {
throw new SecurityException
(sun.security.util.ResourcesMgr.getString
--- a/jdk/src/share/classes/javax/security/auth/login/Configuration.java Tue Oct 22 12:33:33 2013 +0100
+++ b/jdk/src/share/classes/javax/security/auth/login/Configuration.java Tue Oct 22 14:55:19 2013 +0100
@@ -27,9 +27,6 @@
import javax.security.auth.AuthPermission;
-import java.io.*;
-import java.util.*;
-import java.net.URI;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;
@@ -38,7 +35,7 @@
import java.security.NoSuchProviderException;
import java.security.Provider;
import java.security.Security;
-import java.security.SecurityPermission;
+import java.util.Objects;
import sun.security.jca.GetInstance;
@@ -191,16 +188,9 @@
public abstract class Configuration {
private static Configuration configuration;
- private static ClassLoader contextClassLoader;
- static {
- contextClassLoader = AccessController.doPrivileged
- (new PrivilegedAction<ClassLoader>() {
- public ClassLoader run() {
- return Thread.currentThread().getContextClassLoader();
- }
- });
- };
+ private final java.security.AccessControlContext acc =
+ java.security.AccessController.getContext();
private static void checkPermission(String type) {
SecurityManager sm = System.getSecurityManager();
@@ -253,17 +243,26 @@
try {
final String finalClass = config_class;
- configuration = AccessController.doPrivileged
- (new PrivilegedExceptionAction<Configuration>() {
- public Configuration run() throws ClassNotFoundException,
- InstantiationException,
- IllegalAccessException {
- return (Configuration)Class.forName
- (finalClass,
- true,
- contextClassLoader).newInstance();
- }
- });
+ Configuration untrustedImpl = AccessController.doPrivileged(
+ new PrivilegedExceptionAction<Configuration>() {
+ public Configuration run() throws ClassNotFoundException,
+ InstantiationException,
+ IllegalAccessException {
+ Class<? extends Configuration> implClass = Class.forName(
+ finalClass, false,
+ Thread.currentThread().getContextClassLoader()
+ ).asSubclass(Configuration.class);
+ return implClass.newInstance();
+ }
+ });
+ AccessController.doPrivileged(
+ new PrivilegedExceptionAction<Void>() {
+ public Void run() {
+ setConfiguration(untrustedImpl);
+ return null;
+ }
+ }, Objects.requireNonNull(untrustedImpl.acc)
+ );
} catch (PrivilegedActionException e) {
Exception ee = e.getException();
if (ee instanceof InstantiationException) {