On Tue, 30 Jan 2024 21:58:28 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> This code change adds an alternative implementation of user-based
>> authorization `Subject` APIs that doesn't depend on Security Manager APIs.
>> Depending on if the Security Manager is allowed, the methods store the
>> current subject differently. See the spec change in the `Subject.java` file
>> for details. When the Security Manager APIs are finally removed in a future
>> release, this new implementation will be only implementation for these
>> methods.
>>
>> One major change in the new implementation is that `Subject.getSubject`
>> always throws an `UnsupportedOperationException` since it has an
>> `AccessControlContext` argument but the current subject is no longer
>> associated with an `AccessControlContext` object.
>>
>> Now it's the time to migrate from the `getSubject` and `doAs` methods to
>> `current` and `callAs`. If the user application is simply calling
>> `getSubject(AccessController.getContext())`, then switching to `current()`
>> would work. If the `AccessControlContext` argument is retrieved from an
>> earlier `getContext()` call and the associated subject might be different
>> from that of the current `AccessControlContext`, then instead of storing the
>> previous `AccessControlContext` object and passing it into `getSubject` to
>> get the "previous" subject, the application should store the `current()`
>> return value directly.
>
> Weijun Wang has updated the pull request incrementally with one additional
> commit since the last revision:
>
> fix MBeanServerFileAccessController, more test in SM
test/jdk/javax/management/monitor/ThreadPoolAccTest.java line 69:
> 67: }
> 68: private void setPrincipal() {
> 69: Subject subject = Subject.current();
Why change this to `Subject.current()` if you are requiring the SM to be
allowed?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/17472#discussion_r1511332276
