On Fri, 22 Oct 2021 21:53:30 GMT, Bernd <d...@openjdk.java.net> wrote:

>> Weijun Wang has updated the pull request incrementally with one additional 
>> commit since the last revision:
>> 
>>   renames
>
> src/java.base/share/classes/javax/security/auth/Subject.java line 475:
> 
>> 473:      *       call {@link #callAs} to perform the same work, which is 
>> based on
>> 474:      *       {@link #doAs(Subject, PrivilegedExceptionAction)}
>> 475:      *       by default in this implementation.
> 
> Should it also mention that unless you define the TL system property it will 
> still affect the new current() call? (Just to introduce the concept by 
> repetition).

I just don't want to touch existing spec. Even for `doAs`, I only said "callAs 
is based on doAs by default" and didn't went out explaining what is NOT by 
default. Is that OK?

> src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Context.java 
> line 708:
> 
>> 706:                             @SuppressWarnings("removal")
>> 707:                             final Subject subject =
>> 708:                                 
>> AccessController.doPrivilegedWithCombiner(
> 
> Is this actually needed and correct to wrap this into a priveledged action?

Oh, it's needed. Otherwise the `AccessController.getContext()` call (which is 
inside `current()`) will also be called in a clean privileged context and there 
is no subject associated with it.

On the other hand, it still needs to in some sort of doPriv. I don't want to 
ignore `AuthPermission("getSubject")`.

-------------

PR: https://git.openjdk.java.net/jdk/pull/5024

Reply via email to