JDK-6302904 : SubjectDomainCombiner fails to check for null in combineJavaxPolicy
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 1.4.2_06,6
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic,solaris_2.5.1
  • CPU: generic,x86
  • Submitted: 2005-07-28
  • Updated: 2010-04-02
  • Resolved: 2005-08-05
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other JDK 6
1.4.2_10Fixed 6 betaFixed
Related Reports
Duplicate :  
Description
1) Set security property auth.policy.provider to a valid JAAS policy provider
2) In a custom classloader, creates protection domains with null permission sets - and ensure these protection domains are on the stack
3) In the test case, does Subject.getSubject(ACC), this will trigger SubjectDomainCombiner.combineJavaxPolicy to be called. When it reaches the protection domain with a null permission set, it'll bomb out with NullPointerException

Comments
EVALUATION will fix.
29-07-2005

SUGGESTED FIX Here is the code in question in SubjectDomainCombiner.java (line 315): // get the original perms Permissions perms = new Permissions(); java.util.Enumeration e = currentDomains[i].getPermissions().elements(); // rkng: should check for null while (e.hasMoreElements()) { Permission newPerm = (Permission)e.nextElement(); perms.add(newPerm); }
28-07-2005

WORK AROUND Always create protection domains with non-null permission set
28-07-2005