(tomee) 02/02: JDK 24?

Tue, 24 Jun 2025 05:01:49 -0700 

This is an automated email from the ASF dual-hosted git repository.

rzo1 pushed a commit to branch jdk24
in repository https://gitbox.apache.org/repos/asf/tomee.git

commit c3ad276ae84306c6e75e44d0f5394decaadbb8cf
Author: Richard Zowalla <r...@apache.org>
AuthorDate: Tue Jun 24 13:54:02 2025 +0200

    JDK 24?
---
 .../openejb/core/security/AbstractSecurityService.java | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git 
a/container/openejb-core/src/main/java/org/apache/openejb/core/security/AbstractSecurityService.java
 
b/container/openejb-core/src/main/java/org/apache/openejb/core/security/AbstractSecurityService.java
index 4c3a6ee78f..7893b339de 100644
--- 
a/container/openejb-core/src/main/java/org/apache/openejb/core/security/AbstractSecurityService.java
+++ 
b/container/openejb-core/src/main/java/org/apache/openejb/core/security/AbstractSecurityService.java
@@ -50,6 +50,7 @@ import java.security.Policy;
 import java.security.Principal;
 import java.security.PrivilegedAction;
 import java.security.ProtectionDomain;
+import java.security.cert.Certificate;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.LinkedHashSet;
@@ -375,8 +376,8 @@ public abstract class AbstractSecurityService implements 
DestroyableResource, Se
     public boolean isCallerAuthorized(final Method method, final InterfaceType 
type) {
         final ThreadContext threadContext = ThreadContext.getThreadContext();
         final BeanContext beanContext = threadContext.getBeanContext();
-        final String ejbName = beanContext.getEjbName();
         try {
+            final String ejbName = beanContext.getEjbName();
             String name = type == null ? null : type.getSpecName();
             if ("LocalBean".equals(name) || "LocalBeanHome".equals(name)) {
                 name = null;
@@ -389,18 +390,21 @@ public abstract class AbstractSecurityService implements 
DestroyableResource, Se
             } else {
                 securityContext = new 
SecurityContext(currentIdentity.getSubject());
             }
-            securityContext.getAccessControlContext().checkPermission(new 
EJBMethodPermission(ejbName, name, method));
+            
getPolicy().implies(newProtectionDomain(securityContext.subject.getPrincipals()),
 new EJBMethodPermission(ejbName, name, method));
         } catch (final AccessControlException e) {
-            if ("openejb/Deployer".equals(ejbName)
-                    || type == BUSINESS_LOCALBEAN_HOME
-                    || type == LOCALBEAN) {
-                return true;
-            }
             return false;
         }
         return true;
     }
 
+    private ProtectionDomain newProtectionDomain(Set<Principal> principalSet) {
+        return new ProtectionDomain(
+                new CodeSource(null, (Certificate[]) null),
+                null,
+                null,
+                principalSet == null ? null : 
principalSet.toArray(Principal[]::new));
+    }
+
     protected static String autoJaccProvider() {
         return SystemInstance.isInitialized() ?
                 SystemInstance.get().getProperty(JaccProvider.class.getName(), 
BasicJaccProvider.class.getName()) :

Reply via email to