Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8034820

Wrong isAssignableFrom test when adding Principal to Subject

XMLWordPrintable

    • b65
    • generic
    • Verified

        FULL PRODUCT VERSION :
        java -version
        java version "1.7.0_45"
        Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
        Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)


        Also present in: https://jdk8.java.net/download.html

        ADDITIONAL OS VERSION INFORMATION :
        Does not matter, tested on Kubuntu, Windows7, etc...

        A DESCRIPTION OF THE PROBLEM :
        The isAssignableFrom test in javax.security.auth.Subject$ClassSet.add ( and possibly second use of it ) seems wrong. I would assume that:

        interface X{}
        class Y implements X{}

        ClassSet<X> z = ....;
        x.add(new Y());

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
          Subject X = new Subject();
                X.getPrincipals(Principal.class).add(new Principal(){

                    @Override
                    public String getName() {
                        // TODO Auto-generated method stub
                        return null;
                    }});

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        Either provide proper Exception saying this is not allowed operation or add should not fail
        ACTUAL -
        Exception in thread "main" java.lang.SecurityException: attempting to add an object which is not an instance of interface java.security.Principal
        at javax.security.auth.Subject$ClassSet.add(Subject.java:1398)

        REPRODUCIBILITY :
        This bug can be reproduced always.

        ---------- BEGIN SOURCE ----------
          Subject X = new Subject();
                X.getPrincipals(Principal.class).add(new Principal(){

                    @Override
                    public String getName() {
                        // TODO Auto-generated method stub
                        return null;
                    }});
        ---------- END SOURCE ----------

        CUSTOMER SUBMITTED WORKAROUND :
        Workaround is to use Subject non default constructor:

        public Subject(boolean readOnly, Set<? extends Principal> principals,
                           Set<?> pubCredentials, Set<?> privCredentials)

              mullan Sean Mullan
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: