On Tue, 5 Mar 2024 19:53:46 GMT, Weijun Wang <wei...@openjdk.org> wrote:

>> Subject is stored in the RMIConnectionImpl: 
>> src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java
>> 
>> (That is complicated by SubjectDelegation, which we deprecated for removal.  
>> I have the PR out to remove it:
>> https://github.com/openjdk/jdk/pull/18025 )
>> 
>> makeClient in RMIJRMPServerImpl creates RMIConnectionImpl
>> 
>> ..and RMIServerImpl.java has a doNewClient method calling that.  This is 
>> what takes a Credentials Object and deals withJMXAuthenticator to get an 
>> authenticated Subject.  None of this requires the SM.
>
> I see that in `RMIConnectionImpl.java` it is stored inside an 
> `AccessControlContext`, and there are `doPrivileged` calls on this ACC to 
> pass the subject into an action. So, even if there might be no SM but the 
> subject will never be bound to a thread using a scoped value.
> 
> I’ll revert the change then, and this code must have SM allowed to run 
> correctly. If user runs it with SM disabled, at least they will see an UOE 
> instead of letting `current()` silently returns a null.
> 
> Ultimately, if we want it working after SM, we should update 
> `RMIConnectionImpl` and rewrite the ACC-related code to using 
> `Subject.callAs`.

Yes - the JMX implementation stores and retrieve subjects in the 
AccessControlContext and then uses doPrivileged. Subject.doAs is not used in 
the JMX implementation.

There are two different uses of Subject in JMX: 

1. one is a simplified role-based authentication/authorization at the default 
agent level. 
2. The other one is a permission check where different subjects can be granted 
different privileges in the policy file. 

The latter will go away since the SM is going away, but needs to be preserved 
until then.
The former we want to keep and needs to keep working (by changing the code to 
use callAs) even after the SM is gone.

Subject delegation allows an authenticated subject (1. above) to perform 
actions on behalf of a delegation subject, where the privileged granted by 2. 
are the intersection of the privileges of the two subjects.
@kevinjwalls is currently working on removing subject delegation.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/17472#discussion_r1515896397

Reply via email to