Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8344950

javax.security.auth.Subject.SecureSet.writeObject does not do a security check anymore

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • 24
    • security-libs
    • None
    • behavioral
    • low
    • No behavior change for applications running without a Security Manager.
    • Java API
    • SE

      Summary

      The Serial Data section of javax.security.auth.Subject.SecureSet.writeObject() should be removed as it no longer does a security check now that the Security Manager is permanently disabled.

      Problem

      The Serial Data section of Subject.SecureSet.writeObject() says:

      "If this is a private credential set, a security check is performed to ensure that the caller has permission to access each credential in the set. If the security check passes, the set is serialized."

      This is no longer true now that the Security Manager is permanently disabled. This was leftover text that was missed as part of JEP 486.

      Solution

      See specification.

      Specification

      Remove the following text from Subject.SecureSet.writeObject():

       -         * @serialData If this is a private credential set,
       -         *      a security check is performed to ensure that
       -         *      the caller has permission to access each credential
       -         *      in the set.  If the security check passes,
       -         *      the set is serialized.
       -         *

            mullan Sean Mullan
            mullan Sean Mullan
            Alan Bateman, Roger Riggs
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: