Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8267108

Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs

    XMLWordPrintable

    Details

    • Type: Enhancement
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 18
    • Component/s: security-libs

      Description

      Subject.getSubject(AccessControlContext acc) retrieves a Subject associated with an AccessControlContext object (in its SubjectDomainCombiner) which was created earlier when one of the overloaded Subject.doAs() methods was called.

      While an AccessControlContext object is used here, this is actually not related to access control. The AccessControlContext object and the SubjectDomainCombiner object inside it are mainly used as a placeholder to store a Subject object (when doAs is called) that can be loaded later by the application code (the doAs method's action argument).

      This is the base of JAAS and we should continue to support this mechanism even after the Security Manager is deprecated for removal where both AccessControlContext and SubjectDomainCombiner will not exist. A new method is needed to retrieve the subject associated with the current running context.

      Similarly, Subject::doAs can be used as a mechanism to transport credentials across API boundaries by attaching them to the thread’s AccessControlContext, serving a purpose similar to a ThreadLocal. These credentials can be used for purposes other than code-based access control without enabling the Security Manager. However, they depend on APIs tightly related to the Security Manager, such as AccessController and DomainCombiner.

      We should also continue to support this important use case if the Security Manager is deprecated for removal. Decoupling this behavior from the Security Manager APIs and defining new APIs seems like the best way forward.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              weijun Weijun Wang
              Reporter:
              weijun Weijun Wang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: