JDK-5103737 : Optimize security manager handling of permissions granted to all domains
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 5.0
  • Priority: P4
  • Status: Resolved
  • Resolution: Won't Fix
  • OS: generic
  • CPU: generic
  • Submitted: 2004-09-17
  • Updated: 2019-11-14
  • Resolved: 2019-11-14
Related Reports
Relates :  
JDK-6387002 - Improve security check performance
Description
See comments.
Comments
Not considered important enough to try to fix.
14-11-2019
EVALUATION > bootstrap code that does a doPrivileged results in a "null" AccessControlContext, which > doesn't require a policy check. however, this RFE would cause us to do a policy check up > front for all cases. The check for the null AccessControlContext is fast though, so one possibility is to add a method that checks if we have a null ACC (ex: isNullAccessControlContext), and if that is false, then do the fast policy check, otherwise do the normal getStackAccessControlContext.
09-03-2007
EVALUATION i changed the bug synopsis to be a little more accurate (we are not optimizing the case of a NULL protection domain). also, in the comment section it recommends "skipping" checks when permissions are granted to all domains. to clarify, you still have to perform a check. specifically, you still have to consult the policy to see whether the requested permission is granted to everyone all the time. one potential solution is to add a new API to Policy that allows a caller (AccessController, for example) to a quick check against a permission only. this API might be an 'implies' method that only takes a permission argument (as opposed to a permission argument plus ProtectionDomain). the intent of this API is to let the Policy determine if the permission is granted to everyone all the time. if so, this allows the caller to avoid getting the current AccessControlContext, walking the stack, and calling implies on each ProtectionDomain in the stack. it may be useful to note that one writes their own SecurityManager and Policy implementations, they can approximate this optimization on their own. the proposed optimization is most likely useful for the default PolicyFile, and specifically for grant statements like this: grant { // perms }; ###@###.### 2004-09-17 note that while implementing this RFE to avoid a call to getStackAccessControlContext is a good idea for non-bootstrap code, such a change would slow down all permission checks against bootstrap code. bootstrap code that does a doPrivileged results in a "null" AccessControlContext, which doesn't require a policy check. however, this RFE would cause us to do a policy check up front for all cases. therefore any speedup gained by the fast policy check for non-bootclasspath code may be negated by the unnecessary check done when only bootclasspath code is on the stack. ###@###.### 2005-05-20 22:54:02 GMT
20-05-2005