JDK-8344950 : javax.security.auth.Subject.SecureSet.writeObject does not do a security check anymore
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.security
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 24
  • Submitted: 2024-11-25
  • Updated: 2024-11-26
  • Resolved: 2024-11-26
Related Reports
CSR :  
JDK-8344949 - javax.security.auth.Subject.SecureSet.writeObject does not do a security check anymore
Description
Summary
-------

The Serial Data section of `javax.security.auth.Subject.SecureSet.writeObject()` should be removed as it no longer does a security check now that the Security Manager is permanently disabled.

Problem
-------

The Serial Data section of `Subject.SecureSet.writeObject()` says:

"If this is a private credential set, a security check is performed to ensure that the caller has permission to access each credential in the set. If the security check passes, the set is serialized."

This is no longer true now that the Security Manager is permanently disabled. This was leftover text that was missed as part of JEP 486.

Solution
--------

See specification.

Specification
-------------

Remove the following text from `Subject.SecureSet.writeObject()`:

```
 -         * @serialData If this is a private credential set,
 -         *      a security check is performed to ensure that
 -         *      the caller has permission to access each credential
 -         *      in the set.  If the security check passes,
 -         *      the set is serialized.
 -         *
```
Comments
Moving to Approved.
26-11-2024