Subject.doAs(null, action) does not clear the executing subject

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: P3
    • 1.4.0
    • Affects Version/s: 1.4.0
    • Component/s: security-libs
    • None
    • beta
    • generic
    • generic

      Subject.doAs(null, action) in a context where there is already an executing subject does not set the executing subject to null; it leaves the currently executing subject as the executing subject. As a result, more permissions are granted than expected, opening up a security hole.

      Execute the attached test program with the attached security policy.

            Assignee:
            Ramachandran Marti (Inactive)
            Reporter:
            Bob Scheifler (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: