United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-5037004 RFE: Frivolous ClassCastExceptions thrown by SubjectCodeSource.implies
JDK-5037004 : RFE: Frivolous ClassCastExceptions thrown by SubjectCodeSource.implies

Details
Type:
Enhancement
Submit Date:
2004-04-23
Status:
Resolved
Updated Date:
2006-02-07
Project Name:
JDK
Resolved Date:
2004-11-09
Component:
security-libs
OS:
windows_xp
Sub-Component:
java.security
CPU:
x86
Priority:
P4
Resolution:
Fixed
Affected Versions:
1.4.2
Fixed Versions:

Related Reports

Sub Tasks

Description
Name: js151677			Date: 04/23/2004


A DESCRIPTION OF THE PROBLEM :
SubjectCodeSource.implies(CodeSource) does a blind cast of the retrieved Principal to PrincipalComparator, and then catches the exception if thrown.  This can get quite expensive if your Subject has more than one Principal.

Please inspect the SubjectCodeSource.implies(CodeSource) method.  

 From JDK 1.4.2_03 src.jar, com.sun.security.auth.SubjectCodeSource, line 188:
 
        Class principalComparator = Class.forName(pppe.principalClass,
             true,
             sysClassLoader);
        Constructor c = principalComparator.getConstructor(PARAMS);
        PrincipalComparator pc =
            (PrincipalComparator)c.newInstance
          (new Object[] { pppe.principalName });
        ...
    } catch (Exception e) {
           // no PrincipalComparator, simply compare Principals
          if (subjectList == null) {

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
implies should use the instanceof operator to check if the retrieved Object is a PrincipalComparator
ACTUAL -
Throws excessive ClassCastExceptions


(Incident Review ID: 255354) 
======================================================================

                                    

Comments
EVALUATION

Although SubjectCodeSource is deprecated,
a similar issue may be valid in sun.security.provider.PolicyFile.
Will investigate in the next release.
###@###.### 2004-04-23
                                     
2004-04-23
CONVERTED DATA

BugTraq+ Release Management Values

COMMIT TO FIX:
dragon


                                     
2004-06-14



Hardware and Software, Engineered to Work Together