Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes #12318 SecurityUtils should not elminate calls to existing methods #12319

Merged
merged 3 commits into from
Oct 22, 2024
Merged

Fixes #12318 SecurityUtils should not elminate calls to existing methods #12319

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b1b19db
Fixes #12318 SecurityUtils should not elminate calls to existing methods
stoty Sep 26, 2024
0a25638
address review comments
stoty Oct 18, 2024
9f4bc91
comment cleanup
stoty Oct 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 43 additions & 20 deletions jetty-core/jetty-util/src/main/java/org/eclipse/jetty/util/security/SecurityUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,20 +22,16 @@
import java.util.concurrent.CompletionException;
import javax.security.auth.Subject;

import org.eclipse.jetty.util.JavaVersion;

/**
* <p>Collections of utility methods to deal with the scheduled removal
* of the security classes defined by <a href="https://openjdk.org/jeps/411">JEP 411</a>.</p>
* <p>To enable usage of a {@link SecurityManager}, the system property {@link #USE_SECURITY_MANAGER} must be set to {@code true}
* for JVMs after version 21.</p>
*/
public class SecurityUtils
{
public static final boolean USE_SECURITY_MANAGER = Boolean.parseBoolean(
System.getProperty("org.eclipse.jetty.util.security.useSecurityManager", JavaVersion.VERSION.getMajor() <= 21 ? "true" : "false"));
private static final MethodHandle callAs = lookupCallAs();
private static final MethodHandle doPrivileged = lookupDoPrivileged();
private static final MethodHandle getSecurityManager = lookupGetSecurityManager();
private static final MethodHandle checkPermission = lookupCheckPermission();

private static MethodHandle lookupCallAs()
{
Expand All @@ -51,8 +47,6 @@ private static MethodHandle lookupCallAs()
{
try
{
if (!USE_SECURITY_MANAGER)
return null;
// Otherwise (Java 17), lookup the old API.
MethodType oldSignature = MethodType.methodType(Object.class, Subject.class, PrivilegedAction.class);
MethodHandle doAs = lookup.findStatic(Subject.class, "doAs", oldSignature);
Expand All @@ -70,8 +64,6 @@ private static MethodHandle lookupCallAs()

private static MethodHandle lookupDoPrivileged()
{
if (!USE_SECURITY_MANAGER)
return null;
try
{
// Use reflection to work with Java versions that have and don't have AccessController.
Expand All @@ -85,18 +77,48 @@ private static MethodHandle lookupDoPrivileged()
}
}

private static MethodHandle lookupGetSecurityManager()
{
try
{
// Use reflection to work with Java versions that have and don't have System.getSecurityManager().
MethodHandles.Lookup lookup = MethodHandles.lookup();
return lookup.findStatic(java.lang.System.class, "getSecurityManager", MethodType.methodType(Object.class));
}
catch (Throwable x)
{
return null;
}
}

private static MethodHandle lookupCheckPermission()
{
try
{
// Use reflection to work with Java versions that have and don't have SecurityManager.
Class<?> klass = ClassLoader.getPlatformClassLoader().loadClass("java.lang.SecurityManager");
MethodHandles.Lookup lookup = MethodHandles.lookup();
return lookup.findVirtual(klass, "checkPermission", MethodType.methodType(Void.class, Permission.class));
}
catch (Throwable x)
{
return null;
}
}

/**
* Get the current security manager, if available.
* @return the current security manager, if available
*/
public static Object getSecurityManager()
{
if (getSecurityManager == null)
{
return null;
}
try
{
if (!USE_SECURITY_MANAGER)
return null;
// Use reflection to work with Java versions that have and don't have SecurityManager.
return System.class.getMethod("getSecurityManager").invoke(null);
return getSecurityManager.invoke();
}
catch (Throwable ignored)
{
Expand All @@ -113,17 +135,18 @@ public static Object getSecurityManager()
*/
public static void checkPermission(Permission permission) throws SecurityException
{
if (!USE_SECURITY_MANAGER)
if (getSecurityManager == null || checkPermission == null)
{
return;
}
Object securityManager = SecurityUtils.getSecurityManager();
if (securityManager == null)
return;
try
{
securityManager.getClass().getMethod("checkPermission")
.invoke(securityManager, permission);
checkPermission.invoke(securityManager, permission);
}
catch (SecurityException x)
catch (SecurityException | NullPointerException x)
{
throw x;
}
Expand All @@ -142,7 +165,7 @@ public static void checkPermission(Permission permission) throws SecurityExcepti
*/
public static <T> T doPrivileged(PrivilegedAction<T> action)
{
if (!USE_SECURITY_MANAGER || doPrivileged == null)
if (doPrivileged == null)
return action.run();
return doPrivileged(doPrivileged, action);
}
Expand All @@ -165,7 +188,7 @@ private static <T> T doPrivileged(MethodHandle doPrivileged, PrivilegedAction<T>
}

/**
* <p>Runs the given action as the given subject.</p>
* <p>Runs the action as the given subject.</p>
*
* @param subject the subject this action runs as
* @param action the action to run
Expand Down
Loading