[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug classpath/23916] java.security.AccessControlContext forget Subject
From: |
csm at gnu dot org |
Subject: |
[Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods |
Date: |
23 Sep 2005 06:24:52 -0000 |
------- Additional Comments From csm at gnu dot org 2005-09-23 06:24 -------
This patch looks mostly okay; I'm curious, however, if the domain combiner is
never null in the passed-
in context.
I do, however, see another bug in our implementation: the AccessControlContext
constructor is not
protected by a security check. Without this, this patch would allow arbitrary
code to specify whatever
ProtectionDomains they please, if they pass an appropriate DomainCombiner in.
Also, I think our
package-private constructor needs to compute:
(domain-intersection thread-perms (user-domain-combiner thread-perms
context-perms))
...that is, apply the IntersectingDomainCombiner to the protection domains
after applying the user-
specified one.
--
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=23916
- [Bug classpath/23916] New: java.security.AccessControlContext forget Subject in Subject.doAs* methods, sgala at apache dot org, 2005/09/16
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods, sgala at apache dot org, 2005/09/16
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods, sgala at apache dot org, 2005/09/16
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods, WBaer at gmx dot de, 2005/09/20
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods, csm at gnu dot org, 2005/09/23
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods,
csm at gnu dot org <=
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods, sgala at apache dot org, 2005/09/23
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods, csm at gnu dot org, 2005/09/24
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods, cvs-commit at developer dot classpath dot org, 2005/09/25
- [Bug classpath/23916] java.security.AccessControlContext forget Subject in Subject.doAs* methods, csm at gnu dot org, 2005/09/25