Update doPrivilegedWithCombinerHelper function

When we try to invoke doPrivilegedWithCombiner function to perform a privileged action under an existing context environment, we are used to construct a new context but ignore the parent context. We should take consideration of a combination of the current and parent context, rather than just choose either the current or the parent. This patch solves a failed case in issue #19499. Issue: #19499 Signed-off-by: Jinhang Zhang <[email protected]>
eclipse-openj9 · Dec 11, 2024 · 520741c · 520741c
1 parent e832477
commit 520741c
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 7 deletions.
diff --git a/jcl/src/java.base/share/classes/java/security/AccessControlContext.java b/jcl/src/java.base/share/classes/java/security/AccessControlContext.java
@@ -353,6 +353,42 @@ public AccessControlContext(ProtectionDomain[] fromContext) {
 	this.containPrivilegedContext = true;
 }
 
+AccessControlContext(ProtectionDomain[] pdArray, AccessControlContext parentAcc, AccessControlContext context, int authorizeState) {
+	super();
+	switch (authorizeState) {
+	default:
+		// authorizeState can't be STATE_UNKNOWN, callerPD always is NULL
+		throw new IllegalArgumentException();
+	case STATE_AUTHORIZED:
+		if (context != null) {
+			if (parentAcc == null) {
+				// inherit the domain combiner when authorized
+				this.domainCombiner = context.domainCombiner;
+			} else {
+				// when parent combiner is not null, use parent combiner to combine the current context
+				DomainCombiner parentAccCombiner = parentAcc.getCombiner();
+				if (parentAccCombiner != null) {
+					this.context = parentAccCombiner.combine(pdArray, context.context);
+					this.domainCombiner = parentAccCombiner;
+				} else {
+					this.context = combinePDObjs(pdArray, context.context);
+					this.domainCombiner = context.domainCombiner;
+				}
+			}
+		} else {
+			this.domainCombiner = parentAcc.domainCombiner;
+			this.context = pdArray;
+			this.nextStackAcc = parentAcc;
+		}
+		break;
+	case STATE_NOT_AUTHORIZED:
+		break;
+	}
+	this.doPrivilegedAcc = context;
+	this.authorizeState = authorizeState;
+	this.containPrivilegedContext = true;
+}
+
 /**
  * Constructs a new instance of this class given a context
  * and a DomainCombiner

diff --git a/jcl/src/java.base/share/classes/java/security/AccessController.java b/jcl/src/java.base/share/classes/java/security/AccessController.java
@@ -1096,13 +1096,9 @@ public static <T> T doPrivilegedWithCombiner(PrivilegedExceptionAction<T> action
 private static AccessControlContext doPrivilegedWithCombinerHelper(AccessControlContext context) {
 	ProtectionDomain domain = getCallerPD(2);
 	ProtectionDomain[] pdArray = (domain == null) ? null : new ProtectionDomain[] { domain };
-	AccessControlContext fixedContext = new AccessControlContext(context, pdArray, getNewAuthorizedState(context, domain));
-	if (context == null) {
-		AccessControlContext parentContext = getContextHelper(true);
-		fixedContext.domainCombiner = parentContext.domainCombiner;
-		fixedContext.nextStackAcc = parentContext;
-	}
-	return fixedContext;
+	AccessControlContext parentContext = getContextHelper(context == null);
+
+	return new AccessControlContext(pdArray, parentContext, context, getNewAuthorizedState(context, domain));
 }
 /*[ENDIF] JAVA_SPEC_VERSION < 24 */