JDK-8344949 : javax.security.auth.Subject.SecureSet.writeObject does not do a security check anymore
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.security
  • Affected Version: 24
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2024-11-25
  • Updated: 2024-11-28
  • Resolved: 2024-11-26
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 24
24 b26Fixed
Related Reports
CSR :  
Relates :  
Description
The Serial Data section of Subject.SecureSet.writeObject method says:

"If this is a private credential set, a security check is performed to ensure that the caller has permission to access each credential in the set. If the security check passes, the set is serialized."

This is no longer true after the Security Manager has been permanently disabled (see JEP 486). This text should now be removed.

Comments
Changeset: 86d527f9 Branch: master Author: Sean Mullan <mullan@openjdk.org> Date: 2024-11-26 14:21:01 +0000 URL: https://git.openjdk.org/jdk/commit/86d527f987a27c22fae784812aad9d8f370d2e9c
26-11-2024

A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/22390 Date: 2024-11-26 13:28:14 +0000
26-11-2024