-
CSR
-
Resolution: Approved
-
P3
-
None
-
behavioral
-
low
-
No behavior change for applications running without a Security Manager.
-
Java API
-
SE
Summary
The Serial Data section of javax.security.auth.Subject.SecureSet.writeObject()
should be removed as it no longer does a security check now that the Security Manager is permanently disabled.
Problem
The Serial Data section of Subject.SecureSet.writeObject()
says:
"If this is a private credential set, a security check is performed to ensure that the caller has permission to access each credential in the set. If the security check passes, the set is serialized."
This is no longer true now that the Security Manager is permanently disabled. This was leftover text that was missed as part of JEP 486.
Solution
See specification.
Specification
Remove the following text from Subject.SecureSet.writeObject()
:
- * @serialData If this is a private credential set,
- * a security check is performed to ensure that
- * the caller has permission to access each credential
- * in the set. If the security check passes,
- * the set is serialized.
- *
- csr of
-
JDK-8344949 javax.security.auth.Subject.SecureSet.writeObject does not do a security check anymore
-
- Resolved
-