On Wed, 2 Jun 2021 18:18:46 GMT, Daniel Fuchs <dfu...@openjdk.org> wrote:
>> Bradford Wetmore has updated the pull request with a new target base due to
>> a merge or a rebase. The pull request now contains six commits:
>>
>> - Merge branch 'master' into JDK-8267485
>> - Merge branch 'master' into JDK-8267485
>> - Replace missing annotation
>> - Merge branch 'master' into JDK-8267485
>> - Updated copyright date.
>> - 8267485: Remove the dependency on SecurityManager in
>> JceSecurityManager.java
>
> src/java.base/share/classes/javax/crypto/JceSecurityManager.java line 107:
>
>> 105: List<StackFrame> stack = StackWalker.getInstance(
>> 106: StackWalker.Option.RETAIN_CLASS_REFERENCE)
>> 107: .walk((s) -> s.collect(Collectors.toList()));
>
> StackWalker.getInstance(StackWalker.Option.RETAIN_CLASS_REFERENCE) will
> require a permission check.
> As long as the SecurityManager is still functional, doesn't this mean that
> creating the StackWalker should be performed in a doPrivileged? If so maybe
> it should be done in a (possibly static) initializer. Or is it intentional to
> check that the caller (and the whole calling stack) posses the
> `RuntimePermission("getStackWalkerWithClassReference")`?
Good catch, thanks.
-------------
PR: https://git.openjdk.java.net/jdk/pull/4150
