Fixes #12318 SecurityUtils should not elminate calls to existing methods

jetty · Sep 26, 2024 · 3b4e520 · 3b4e520
1 parent 32156ca
commit 3b4e520
Showing 1 changed file with 6 additions and 16 deletions.
diff --git a/jetty-core/jetty-util/src/main/java/org/eclipse/jetty/util/security/SecurityUtils.java b/jetty-core/jetty-util/src/main/java/org/eclipse/jetty/util/security/SecurityUtils.java
@@ -22,18 +22,12 @@
 import java.util.concurrent.CompletionException;
 import javax.security.auth.Subject;
 
-import org.eclipse.jetty.util.JavaVersion;
-
 /**
  * <p>Collections of utility methods to deal with the scheduled removal
  * of the security classes defined by <a href="https://openjdk.org/jeps/411">JEP 411</a>.</p>
- * <p>To enable usage of a {@link SecurityManager}, the system property {@link #USE_SECURITY_MANAGER} must be set to {@code true}
- * for JVMs after version 21.</p>
  */
 public class SecurityUtils
 {
-    public static final boolean USE_SECURITY_MANAGER = Boolean.parseBoolean(
-        System.getProperty("org.eclipse.jetty.util.security.useSecurityManager", JavaVersion.VERSION.getMajor() <= 21 ? "true" : "false"));
     private static final MethodHandle callAs = lookupCallAs();
     private static final MethodHandle doPrivileged = lookupDoPrivileged();
 
@@ -51,8 +45,6 @@ private static MethodHandle lookupCallAs()
         {
             try
             {
-                if (!USE_SECURITY_MANAGER)
-                    return null;
                 // Otherwise (Java 17), lookup the old API.
                 MethodType oldSignature = MethodType.methodType(Object.class, Subject.class, PrivilegedAction.class);
                 MethodHandle doAs = lookup.findStatic(Subject.class, "doAs", oldSignature);
@@ -70,8 +62,6 @@ private static MethodHandle lookupCallAs()
 
     private static MethodHandle lookupDoPrivileged()
     {
-        if (!USE_SECURITY_MANAGER)
-            return null;
         try
         {
             // Use reflection to work with Java versions that have and don't have AccessController.
@@ -93,8 +83,7 @@ public static Object getSecurityManager()
     {
         try
         {
-            if (!USE_SECURITY_MANAGER)
-                return null;
+            // TODO cache this method on class loading like the other two methods ?
             // Use reflection to work with Java versions that have and don't have SecurityManager.
             return System.class.getMethod("getSecurityManager").invoke(null);
         }
@@ -113,8 +102,7 @@ public static Object getSecurityManager()
      */
     public static void checkPermission(Permission permission) throws SecurityException
     {
-        if (!USE_SECURITY_MANAGER)
-            return;
+        // TODO cache this methodon class loading like the other two methods ?
         Object securityManager = SecurityUtils.getSecurityManager();
         if (securityManager == null)
             return;
@@ -142,9 +130,11 @@ public static void checkPermission(Permission permission) throws SecurityExcepti
      */
     public static <T> T doPrivileged(PrivilegedAction<T> action)
     {
-        if (!USE_SECURITY_MANAGER || doPrivileged == null)
+        // Keep this method short and inlineable.
+        MethodHandle methodHandle = doPrivileged;
+        if (methodHandle == null)
             return action.run();
-        return doPrivileged(doPrivileged, action);
+        return doPrivileged(methodHandle, action);
     }
 
     @SuppressWarnings("unchecked")