OpenJDK / jdk / hs
changeset 23913:049a0df69b88
8030655: Regression: 14_01 Security fix 8024306 causes test failures
Reviewed-by: mullan, xuelei, ahgross
| author | weijun |
|---|---|
| date | Wed, 15 Jan 2014 11:23:07 +0800 |
| parents | 9eab25093a89 |
| children | 754ca74db76a |
| files | jdk/src/share/classes/javax/security/auth/Subject.java |
| diffstat | 1 files changed, 19 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/jdk/src/share/classes/javax/security/auth/Subject.java Mon Nov 25 15:00:36 2013 +0800 +++ b/jdk/src/share/classes/javax/security/auth/Subject.java Wed Jan 15 11:23:07 2014 +0800 @@ -959,14 +959,30 @@ /** * Reads this object from a stream (i.e., deserializes it) */ + @SuppressWarnings("unchecked") private void readObject(java.io.ObjectInputStream s) throws java.io.IOException, ClassNotFoundException { - s.defaultReadObject(); + ObjectInputStream.GetField gf = s.readFields(); + + readOnly = gf.get("readOnly", false); + + Set<Principal> inputPrincs = (Set<Principal>)gf.get("principals", null); // Rewrap the principals into a SecureSet - principals = Collections.synchronizedSet(new SecureSet<Principal> - (this, PRINCIPAL_SET, principals)); + if (inputPrincs == null) { + throw new NullPointerException + (ResourcesMgr.getString("invalid.null.input.s.")); + } + try { + principals = Collections.synchronizedSet(new SecureSet<Principal> + (this, PRINCIPAL_SET, inputPrincs)); + } catch (NullPointerException npe) { + // Sometimes people deserialize the principals set only. + // Subject is not accessible, so just don't fail. + principals = Collections.synchronizedSet + (new SecureSet<Principal>(this, PRINCIPAL_SET)); + } // The Credential {@code Set} is not serialized, but we do not // want the default deserialization routine to set it to null.