From 55d5f54396ff8911bba74ff9b8da9cc09a3519be Mon Sep 17 00:00:00 2001 From: JinhangZhang Date: Mon, 11 Nov 2024 14:18:22 -0500 Subject: [PATCH] Update doPrivilegedWithCombinerHelper function When we try to invoke doPrivilegedWithCombiner function to perform a privileged action under an existing context environment, we are used to construct a new context but ignore the parent context. We should take consideration of a combination of the current and parent context, rather than just choose either the current or the parent. This patch solves a failed case in issue #19499. Issue: #19499 Signed-off-by: Jinhang Zhang --- .../java/security/AccessControlContext.java | 31 +++++++++++++++++++ .../java/security/AccessController.java | 15 ++++----- 2 files changed, 39 insertions(+), 7 deletions(-) diff --git a/jcl/src/java.base/share/classes/java/security/AccessControlContext.java b/jcl/src/java.base/share/classes/java/security/AccessControlContext.java index 9684bff2300..96f67e370ec 100644 --- a/jcl/src/java.base/share/classes/java/security/AccessControlContext.java +++ b/jcl/src/java.base/share/classes/java/security/AccessControlContext.java @@ -351,6 +351,37 @@ public AccessControlContext(ProtectionDomain[] fromContext) { this.containPrivilegedContext = true; } +AccessControlContext(ProtectionDomain[] pdArray, @SuppressWarnings("removal") DomainCombiner combiner, + AccessControlContext parent, AccessControlContext acc, int authorizeState) { + super(); + switch (authorizeState) { + default: + // authorizeState can't be STATE_UNKNOWN, callerPD always is NULL + throw new IllegalArgumentException(); + case STATE_AUTHORIZED: + if (null != acc) { + // when parent combiner is not null, use parent combiner to combine the current context + if (combiner != null) { + this.context = combiner.combine(pdArray, acc.context); + this.domainCombiner = combiner; + } else { + this.context = combinePDObjs(pdArray, acc.context); + this.domainCombiner = acc.domainCombiner; + } + } else { + this.domainCombiner = parent.domainCombiner; + this.context = pdArray; + this.nextStackAcc = parent; + } + break; + case STATE_NOT_AUTHORIZED: + break; + } + this.doPrivilegedAcc = acc; + this.authorizeState = authorizeState; + this.containPrivilegedContext = true; +} + /** * Constructs a new instance of this class given a context * and a DomainCombiner diff --git a/jcl/src/java.base/share/classes/java/security/AccessController.java b/jcl/src/java.base/share/classes/java/security/AccessController.java index cf3c744ab95..630667a2360 100644 --- a/jcl/src/java.base/share/classes/java/security/AccessController.java +++ b/jcl/src/java.base/share/classes/java/security/AccessController.java @@ -1044,13 +1044,14 @@ public static T doPrivilegedWithCombiner(PrivilegedExceptionAction action private static AccessControlContext doPrivilegedWithCombinerHelper(AccessControlContext context) { ProtectionDomain domain = getCallerPD(2); ProtectionDomain[] pdArray = (domain == null) ? null : new ProtectionDomain[] { domain }; - AccessControlContext fixedContext = new AccessControlContext(context, pdArray, getNewAuthorizedState(context, domain)); - if (context == null) { - AccessControlContext parentContext = getContextHelper(true); - fixedContext.domainCombiner = parentContext.domainCombiner; - fixedContext.nextStackAcc = parentContext; - } - return fixedContext; + AccessControlContext parentContext = getContextHelper(context == null); + + return new AccessControlContext(pdArray, + parentContext.getCombiner(), + parentContext, + context, + getNewAuthorizedState(context, domain) + ); } }