[Bug classpath/23916] java.security.AccessControlContext forget Subject

bug-classpath

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug classpath/23916] java.security.AccessControlContext forget Subject

From:	csm at gnu dot org
Subject:	[Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods
Date:	23 Sep 2005 06:24:52 -0000

------- Additional Comments From csm at gnu dot org  2005-09-23 06:24 -------
This patch looks mostly okay; I'm curious, however, if the domain combiner is 
never null in the passed-
in context.

I do, however, see another bug in our implementation: the AccessControlContext 
constructor is not 
protected by a security check. Without this, this patch would allow arbitrary 
code to specify whatever 
ProtectionDomains they please, if they pass an appropriate DomainCombiner in. 
Also, I think our 
package-private constructor needs to compute:

  (domain-intersection thread-perms (user-domain-combiner thread-perms 
context-perms))

...that is, apply the IntersectingDomainCombiner to the protection domains 
after applying the user-
specified one.

-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=23916

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug classpath/23916] New: java.security.AccessControlContext forget Subject in Subject.doAs* methods, sgala at apache dot org, 2005/09/16
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods, sgala at apache dot org, 2005/09/16
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods, sgala at apache dot org, 2005/09/16
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods, WBaer at gmx dot de, 2005/09/20
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods, csm at gnu dot org, 2005/09/23
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods, csm at gnu dot org <=
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods, sgala at apache dot org, 2005/09/23
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods, csm at gnu dot org, 2005/09/24
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods, cvs-commit at developer dot classpath dot org, 2005/09/25
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods, csm at gnu dot org, 2005/09/25

Prev by Date: [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods
Next by Date: [Bug classpath/24006] ServerSocket.getLocalPort returns -1
Previous by thread: [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods
Next by thread: [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods
Index(es):
- Date
- Thread