JDK-5037004 : RFE: Frivolous ClassCastExceptions thrown by SubjectCodeSource.implies
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 1.4.2
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2004-04-23
  • Updated: 2006-02-07
  • Resolved: 2004-11-09
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6
6 betaFixed
Description
Name: js151677			Date: 04/23/2004


A DESCRIPTION OF THE PROBLEM :
SubjectCodeSource.implies(CodeSource) does a blind cast of the retrieved Principal to PrincipalComparator, and then catches the exception if thrown.  This can get quite expensive if your Subject has more than one Principal.

Please inspect the SubjectCodeSource.implies(CodeSource) method.  

 From JDK 1.4.2_03 src.jar, com.sun.security.auth.SubjectCodeSource, line 188:
 
        Class principalComparator = Class.forName(pppe.principalClass,
             true,
             sysClassLoader);
        Constructor c = principalComparator.getConstructor(PARAMS);
        PrincipalComparator pc =
            (PrincipalComparator)c.newInstance
          (new Object[] { pppe.principalName });
        ...
    } catch (Exception e) {
           // no PrincipalComparator, simply compare Principals
          if (subjectList == null) {

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
implies should use the instanceof operator to check if the retrieved Object is a PrincipalComparator
ACTUAL -
Throws excessive ClassCastExceptions


(Incident Review ID: 255354) 
======================================================================
Comments
CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: dragon
14-06-2004
EVALUATION Although SubjectCodeSource is deprecated, a similar issue may be valid in sun.security.provider.PolicyFile. Will investigate in the next release. ###@###.### 2004-04-23
23-04-2004