# HG changeset patch # User xuelei # Date 1382634146 25200 # Node ID fe1707a836b4f1db76959e1851ad0e4e6dc64fef # Parent ef2352bf3dfe5dbdc2d6723e6cddc9822bf45700 8027204: Revise the update of 8026204 and 8025758 Summary: Rivise the update to use system class loader with null TCCL. Also reviewed by Alexander Fomin Reviewed-by: mchung, ahgross diff -r ef2352bf3dfe -r fe1707a836b4 src/share/classes/com/sun/naming/internal/FactoryEnumeration.java --- a/src/share/classes/com/sun/naming/internal/FactoryEnumeration.java Wed Oct 23 21:24:34 2013 -0700 +++ b/src/share/classes/com/sun/naming/internal/FactoryEnumeration.java Thu Oct 24 10:02:26 2013 -0700 @@ -83,7 +83,6 @@ try { if (answer == null) { // reload class if weak ref cleared Class cls = Class.forName(className, true, loader); - VersionHelper12.checkPackageAccess(cls); answer = cls; } // Instantiate Class to get factory diff -r ef2352bf3dfe -r fe1707a836b4 src/share/classes/com/sun/naming/internal/VersionHelper12.java --- a/src/share/classes/com/sun/naming/internal/VersionHelper12.java Wed Oct 23 21:24:34 2013 -0700 +++ b/src/share/classes/com/sun/naming/internal/VersionHelper12.java Thu Oct 24 10:02:26 2013 -0700 @@ -39,7 +39,6 @@ import java.util.Properties; import javax.naming.*; -import sun.reflect.misc.ReflectUtil; /** * VersionHelper was used by JNDI to accommodate differences between @@ -54,18 +53,6 @@ final class VersionHelper12 extends VersionHelper { - // workaround to disable additional package access control with - // Thread Context Class Loader (TCCL). - private final static boolean noPackageAccessWithTCCL = "true".equals( - AccessController.doPrivileged( - new PrivilegedAction() { - public String run() { - return System.getProperty( - "com.sun.naming.untieAccessContextWithTCCL"); - } - } - )); - // Disallow external from creating one of these. VersionHelper12() { } @@ -83,9 +70,6 @@ Class loadClass(String className, ClassLoader cl) throws ClassNotFoundException { Class cls = Class.forName(className, true, cl); - if (!noPackageAccessWithTCCL) { - checkPackageAccess(cls); - } return cls; } @@ -103,35 +87,6 @@ return loadClass(className, cl); } - /** - * check package access of a class that is loaded with Thread Context - * Class Loader (TCCL). - * - * Similar to java.lang.ClassLoader.checkPackageAccess() - */ - static void checkPackageAccess(Class cls) { - final SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - if (ReflectUtil.isNonPublicProxyClass(cls)) { - for (Class intf: cls.getInterfaces()) { - checkPackageAccess(intf); - } - return; - } - - final String name = cls.getName(); - final int i = name.lastIndexOf('.'); - if (i != -1) { - AccessController.doPrivileged(new PrivilegedAction() { - public Void run() { - sm.checkPackageAccess(name.substring(0, i)); - return null; - } - }, AccessController.getContext()); - } - } - } - String getJndiProperty(final int i) { return AccessController.doPrivileged( new PrivilegedAction() { @@ -220,18 +175,24 @@ /** * Package private. * - * This internal method makes use of Thread Context Class Loader (TCCL), - * please don't expose this method as public. + * This internal method returns Thread Context Class Loader (TCCL), + * if null, returns the system Class Loader. * - * Please take care of package access control on the current context - * whenever using TCCL. + * Please don't expose this method as public. */ ClassLoader getContextClassLoader() { return AccessController.doPrivileged( new PrivilegedAction() { public ClassLoader run() { - return Thread.currentThread().getContextClassLoader(); + ClassLoader loader = + Thread.currentThread().getContextClassLoader(); + if (loader == null) { + // Don't use bootstrap class loader directly! + loader = ClassLoader.getSystemClassLoader(); + } + + return loader; } } ); diff -r ef2352bf3dfe -r fe1707a836b4 src/share/classes/javax/security/auth/login/LoginContext.java --- a/src/share/classes/javax/security/auth/login/LoginContext.java Wed Oct 23 21:24:34 2013 -0700 +++ b/src/share/classes/javax/security/auth/login/LoginContext.java Thu Oct 24 10:02:26 2013 -0700 @@ -37,10 +37,8 @@ import javax.security.auth.callback.*; import java.security.AccessController; import java.security.AccessControlContext; -import java.security.PrivilegedAction; import sun.security.util.PendingException; import sun.security.util.ResourcesMgr; -import sun.reflect.misc.ReflectUtil; /** *

The {@code LoginContext} class describes the basic methods used @@ -227,19 +225,6 @@ private static final sun.security.util.Debug debug = sun.security.util.Debug.getInstance("logincontext", "\t[LoginContext]"); - // workaround to disable additional package access control with - // Thread Context Class Loader (TCCL). - private static final boolean noPackageAccessWithTCCL = "true".equals( - AccessController.doPrivileged( - new PrivilegedAction() { - public String run() { - return System.getProperty( - "auth.login.untieAccessContextWithTCCL"); - } - } - )); - - private void init(String name) throws LoginException { SecurityManager sm = System.getSecurityManager(); @@ -293,7 +278,15 @@ contextClassLoader = java.security.AccessController.doPrivileged (new java.security.PrivilegedAction() { public ClassLoader run() { - return Thread.currentThread().getContextClassLoader(); + ClassLoader loader = + Thread.currentThread().getContextClassLoader(); + if (loader == null) { + // Don't use bootstrap class loader directly to ensure + // proper package access control! + loader = ClassLoader.getSystemClassLoader(); + } + + return loader; } }); } @@ -713,17 +706,11 @@ // instantiate the LoginModule // // Allow any object to be a LoginModule as long as it - // conforms to the interface if no customized config or - // noPackageAccessWithTCCL is true. + // conforms to the interface. Class c = Class.forName( moduleStack[i].entry.getLoginModuleName(), true, contextClassLoader); - // check package access for customized config - if (!noPackageAccessWithTCCL && creatorAcc != null) { - c.asSubclass(javax.security.auth.spi.LoginModule.class); - checkPackageAccess(c, creatorAcc); - } Constructor constructor = c.getConstructor(PARAMS); Object[] args = { }; @@ -927,35 +914,6 @@ } /** - * check package access of a class that is loaded with Thread Context - * Class Loader (TCCL) with specified access control context. - * - * Similar to java.lang.ClassLoader.checkPackageAccess() - */ - static void checkPackageAccess(Class cls, AccessControlContext context) { - final SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - if (ReflectUtil.isNonPublicProxyClass(cls)) { - for (Class intf: cls.getInterfaces()) { - checkPackageAccess(intf, context); - } - return; - } - - final String name = cls.getName(); - final int i = name.lastIndexOf('.'); - if (i != -1) { - AccessController.doPrivileged(new PrivilegedAction() { - public Void run() { - sm.checkPackageAccess(name.substring(0, i)); - return null; - } - }, context); - } - } - } - - /** * Wrap the caller-specified CallbackHandler in our own * and invoke it within a privileged block, constrained by * the caller's AccessControlContext.