javax.security.auth.Subject.SecureSet.writeObject does not do a security check anymore

XMLWordPrintable

    • Type: CSR
    • Resolution: Approved
    • Priority: P3
    • 24
    • Component/s: security-libs
    • None
    • behavioral
    • low
    • No behavior change for applications running without a Security Manager.
    • Java API
    • SE

      Summary

      The Serial Data section of javax.security.auth.Subject.SecureSet.writeObject() should be removed as it no longer does a security check now that the Security Manager is permanently disabled.

      Problem

      The Serial Data section of Subject.SecureSet.writeObject() says:

      "If this is a private credential set, a security check is performed to ensure that the caller has permission to access each credential in the set. If the security check passes, the set is serialized."

      This is no longer true now that the Security Manager is permanently disabled. This was leftover text that was missed as part of JEP 486.

      Solution

      See specification.

      Specification

      Remove the following text from Subject.SecureSet.writeObject():

       -         * @serialData If this is a private credential set,
 -         *      a security check is performed to ensure that
 -         *      the caller has permission to access each credential
 -         *      in the set.  If the security check passes,
 -         *      the set is serialized.
 -         *

            Assignee:
            Sean Mullan
            Reporter:
            Sean Mullan
            Alan Bateman, Roger Riggs
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: