Bug ID: JDK-8296244 Alternate implementation of user-based authorization Subject APIs that doesn’t depend on Security Manager APIs

JDK-8296244 : Alternate implementation of user-based authorization Subject APIs that doesn’t depend on Security Manager APIs

Type: Enhancement
Component: security-libs
Sub-Component: javax.security

Priority: P3
Status: Resolved
Resolution: Fixed

Submitted: 2022-11-02
Updated: 2024-05-31
Resolved: 2024-03-20

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 23
23 b15Fixed

Related Reports

CSR :	JDK-8327134 - Alternate implementation of user-based authorization Subject APIs that doesn't depend on Security Manager APIs
Relates :	JDK-8327618 - RMIConnectionImpl should remove AccessControlContext and JMXSubjectDomainCombiner usage.
Relates :	JDK-8267108 - Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs
Relates :	JDK-8333344 - JMX attaching of Subject does not work when security manager not allowed
Relates :	JDK-8328263 - JMX Monitor should migrate to storing a Subject, not AccessControlContext

Sub Tasks

JDK-8328643 :	Release Note: The Subject.getSubject API will now require setting the system property java.security.manager to allow on the command line - Closed
JDK-8329796 :	Update JAAS reference guide with Subject::callAs and Subject::current examples - Open

Description

In the implementation of Subject.current() and Subject.doAs(), replace the dependencies on AccessController/AccessControlContext (which are deprecated for removal) with scoped values (see JEP 446).

Comments

Related follow-on issue in Renaissance : https://github.com/renaissance-benchmarks/renaissance/issues/439
30-05-2024
Changeset: d32746ef Author: Weijun Wang <weijun@openjdk.org> Date: 2024-03-20 21:25:41 +0000 URL: https://git.openjdk.org/jdk/commit/d32746ef4a0ce6fec558274244321991be141698
20-03-2024
JMX uses ACC.doPrivileged to execute actions using a subject in several places. After this code change, they only work when SM is allowed. New bugs JDK-8327618 and JDK-8328263 have been created for related issues. At the moment, tests in this area will be modified to run with -Djava.security.manager=allow. Ideally, these modifications can be reverted when the 2 new bugs are resolved.
20-03-2024
A pull request was submitted for review. URL: https://git.openjdk.org/jdk/pull/17472 Date: 2024-01-17 23:41:53 +0000
27-01-2024
Setting fixVersion to 22 for now, as Scoped Values should hopefully become a Preview Feature in JDK 21, which will permit us to use it within the JDK.
02-05-2023