JDK-6511709 : SubjectDomainCombiner.combineJavaxPolicy should construct ProtectionDomains with dynamic permissions
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • OS: generic
  • CPU: generic
  • Submitted: 2007-01-10
  • Updated: 2010-04-03
  • Resolved: 2007-01-11
Related Reports
Duplicate :  
Description
SubjectDomainCombiner has compatibility support for javax.security.auth.Policy in its combineJavaxPolicy method.

The implementation of this method, however, constructs new ProtectionDomains using the 2-arg constructor, which results in a static permission collection that does not consult Policy.  In other words, the sole permissions granted to the ProtectionDomain are those in the ProtectionDomain instance itself (Policy is not consulted).

The implementation should construct new ProtectionDomains using the 4-arg constructor.  This allows dynamic permissions (from Policy) to be granted to the ProtectionDomain instance.

Comments
SUGGESTED FIX Logically, it seems we should change (inside combineJavaxPolicy): new ProtectionDomain(cs, perms); To: new ProtectionDomain(finalCs, perms, pd.getClassLoader(), principals); In fact, the 'principals' argument should be equivalent to subject.getPrincipals(), so either should work.
10-01-2007