On Fri, 22 Oct 2021 21:53:30 GMT, Bernd <d...@openjdk.java.net> wrote:
>> Weijun Wang has updated the pull request incrementally with one additional >> commit since the last revision: >> >> renames > > src/java.base/share/classes/javax/security/auth/Subject.java line 475: > >> 473: * call {@link #callAs} to perform the same work, which is >> based on >> 474: * {@link #doAs(Subject, PrivilegedExceptionAction)} >> 475: * by default in this implementation. > > Should it also mention that unless you define the TL system property it will > still affect the new current() call? (Just to introduce the concept by > repetition). I just don't want to touch existing spec. Even for `doAs`, I only said "callAs is based on doAs by default" and didn't went out explaining what is NOT by default. Is that OK? > src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Context.java > line 708: > >> 706: @SuppressWarnings("removal") >> 707: final Subject subject = >> 708: >> AccessController.doPrivilegedWithCombiner( > > Is this actually needed and correct to wrap this into a priveledged action? Oh, it's needed. Otherwise the `AccessController.getContext()` call (which is inside `current()`) will also be called in a clean privileged context and there is no subject associated with it. On the other hand, it still needs to in some sort of doPriv. I don't want to ignore `AuthPermission("getSubject")`. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024