From e2ce76ca09f8d3eb2e33ec1209d9ce7b7de6a4f9 Mon Sep 17 00:00:00 2001 From: mbaedke Date: Tue, 17 Dec 2024 10:09:41 +0100 Subject: [PATCH] OAK-11199: Java 23: getSubject is supported only if a security manager is allowed (#1891) Added new class to replace the deprecated API --- .../external/impl/jmx/Delegatee.java | 4 +- .../external/AbstractExternalAuthTest.java | 4 +- .../ExternalIdentityImporterTest.java | 4 +- ...ssControlManagerLimitedSystemUserTest.java | 3 +- .../impl/ReadablePathsAccessControlTest.java | 15 +-- .../oak/benchmark/AbstractTest.java | 3 +- .../jackrabbit/oak/benchmark/CugOakTest.java | 3 +- .../oak/benchmark/LoginSystemTest.java | 3 +- oak-commons/pom.xml | 3 +- .../oak/commons/jdkcompat/Java23Subject.java | 115 ++++++++++++++++++ .../oak/commons/jdkcompat/package-info.java | 28 +++++ .../commons/jdkcompat/Java23SubjectTest.java | 58 +++++++++ .../LoginContextProviderImpl.java | 4 +- .../ChangeCollectorProviderTest.java | 4 +- .../LoginContextProviderImplTest.java | 3 +- .../security/authentication/PreAuthTest.java | 13 +- .../user/LoginModuleImplTest.java | 3 +- .../RepoPolicyTreePermissionTest.java | 3 +- .../user/CacheValidatorProviderTest.java | 4 +- .../user/CachedGroupPrincipalTest.java | 4 +- .../CachedPrincipalMembershipReaderTest.java | 6 +- .../user/PasswordExpiryAdminTest.java | 4 +- .../security/user/UserInitializerTest.java | 6 +- .../UserPrincipalProviderWithCacheTest.java | 6 +- .../authentication/preauthentication.md | 2 +- .../jackrabbit/j2ee/IndexInitializer.java | 3 +- .../authentication/L9_NullLoginTest.java | 3 +- .../AbstractPrincipalBasedTest.java | 3 +- .../oak/composite/blueGreen/Persistence.java | 4 +- oak-security-spi/pom.xml | 5 + .../authentication/AbstractLoginModule.java | 3 +- 31 files changed, 272 insertions(+), 54 deletions(-) create mode 100644 oak-commons/src/main/java/org/apache/jackrabbit/oak/commons/jdkcompat/Java23Subject.java create mode 100755 oak-commons/src/main/java/org/apache/jackrabbit/oak/commons/jdkcompat/package-info.java create mode 100755 oak-commons/src/test/java/org/apache/jackrabbit/oak/commons/jdkcompat/Java23SubjectTest.java diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java index cf8157a3bec..fa3b0684df7 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java @@ -23,6 +23,7 @@ import org.apache.jackrabbit.oak.api.ContentRepository; import org.apache.jackrabbit.oak.api.ContentSession; import org.apache.jackrabbit.oak.api.Root; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.plugins.value.jcr.ValueFactoryImpl; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; @@ -46,7 +47,6 @@ import org.slf4j.LoggerFactory; import javax.jcr.RepositoryException; -import javax.security.auth.Subject; import java.io.IOException; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; @@ -107,7 +107,7 @@ static Delegatee createInstance(@NotNull final ContentRepository repository, int batchSize) { ContentSession systemSession; try { - systemSession = Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> repository.login(null, null)); + systemSession = Java23Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> repository.login(null, null)); } catch (PrivilegedActionException e) { throw new SyncRuntimeException(ERROR_CREATE_DELEGATEE, e); } diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/AbstractExternalAuthTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/AbstractExternalAuthTest.java index 3fdc930c3a9..1df8bffee8c 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/AbstractExternalAuthTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/AbstractExternalAuthTest.java @@ -27,6 +27,7 @@ import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.api.Type; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.commons.collections.CollectionUtils; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; import org.apache.jackrabbit.oak.spi.security.authentication.SystemSubject; @@ -44,7 +45,6 @@ import org.junit.Rule; import javax.jcr.RepositoryException; -import javax.security.auth.Subject; import java.security.PrivilegedExceptionAction; import java.util.Calendar; import java.util.Collections; @@ -213,7 +213,7 @@ protected DefaultSyncHandler registerSyncHandler(@NotNull Map sy @NotNull protected Root getSystemRoot() throws Exception { if (systemRoot == null) { - systemSession = Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> getContentRepository().login(null, null)); + systemSession = Java23Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> getContentRepository().login(null, null)); systemRoot = systemSession.getLatestRoot(); } return systemRoot; diff --git a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalIdentityImporterTest.java b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalIdentityImporterTest.java index c46e3a951cb..6dae601d34b 100644 --- a/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalIdentityImporterTest.java +++ b/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalIdentityImporterTest.java @@ -24,9 +24,9 @@ import javax.jcr.Repository; import javax.jcr.Session; import javax.jcr.SimpleCredentials; -import javax.security.auth.Subject; import org.apache.jackrabbit.api.JackrabbitRepository; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.jcr.Jcr; import org.apache.jackrabbit.oak.query.QueryEngineSettings; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; @@ -88,7 +88,7 @@ private static void shutdown(Repository repo) { Session createSession(Repository repo, boolean isSystem) throws Exception { if (isSystem) { - return Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> repo.login(null, null)); + return Java23Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> repo.login(null, null)); } else { return repo.login(new SimpleCredentials(UserConstants.DEFAULT_ADMIN_ID, UserConstants.DEFAULT_ADMIN_ID.toCharArray())); } diff --git a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AccessControlManagerLimitedSystemUserTest.java b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AccessControlManagerLimitedSystemUserTest.java index da697b6625c..cd5bcaface2 100644 --- a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AccessControlManagerLimitedSystemUserTest.java +++ b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AccessControlManagerLimitedSystemUserTest.java @@ -20,6 +20,7 @@ import org.apache.jackrabbit.api.security.user.User; import org.apache.jackrabbit.oak.api.AuthInfo; import org.apache.jackrabbit.oak.api.Root; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.spi.security.authentication.AuthInfoImpl; import org.jetbrains.annotations.NotNull; import org.jetbrains.annotations.Nullable; @@ -62,7 +63,7 @@ Root createTestRoot() throws Exception { Set principals = Set.of(testPrincipal); AuthInfo authInfo = new AuthInfoImpl(UID, Collections.emptyMap(), principals); Subject subject = new Subject(true, principals, Set.of(authInfo), Set.of()); - return Subject.doAsPrivileged(subject, (PrivilegedExceptionAction) () -> getContentRepository().login(null, null).getLatestRoot(), null); + return Java23Subject.doAsPrivileged(subject, (PrivilegedExceptionAction) () -> getContentRepository().login(null, null).getLatestRoot(), null); } void grant(@NotNull Principal principal, @Nullable String path, @NotNull String... privNames) throws Exception { diff --git a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ReadablePathsAccessControlTest.java b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ReadablePathsAccessControlTest.java index 68b68cd4728..80e1caf9aa7 100644 --- a/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ReadablePathsAccessControlTest.java +++ b/oak-authorization-principalbased/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ReadablePathsAccessControlTest.java @@ -22,6 +22,7 @@ import org.apache.jackrabbit.JcrConstants; import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager; import org.apache.jackrabbit.oak.api.ContentSession; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.commons.PathUtils; import org.apache.jackrabbit.oak.commons.collections.CollectionUtils; import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; @@ -84,7 +85,7 @@ private Subject getTestSubject() { @Test public void testHasPrivilege() throws Exception { - try (ContentSession cs = Subject.doAsPrivileged(getTestSubject(), (PrivilegedExceptionAction) () -> getContentRepository().login(null, null), null)) { + try (ContentSession cs = Java23Subject.doAsPrivileged(getTestSubject(), (PrivilegedExceptionAction) () -> getContentRepository().login(null, null), null)) { PrincipalBasedAccessControlManager testAcMgr = new PrincipalBasedAccessControlManager(getMgrProvider(cs.getLatestRoot()), getFilterProvider()); Set principals = Collections.singleton(testPrincipal); @@ -99,7 +100,7 @@ public void testHasPrivilege() throws Exception { @Test public void testNotHasPrivilege() throws Exception { - try (ContentSession cs = Subject.doAsPrivileged(getTestSubject(), (PrivilegedExceptionAction) () -> getContentRepository().login(null, null), null)) { + try (ContentSession cs = Java23Subject.doAsPrivileged(getTestSubject(), (PrivilegedExceptionAction) () -> getContentRepository().login(null, null), null)) { PrincipalBasedAccessControlManager testAcMgr = new PrincipalBasedAccessControlManager(getMgrProvider(cs.getLatestRoot()), getFilterProvider()); Set principals = Collections.singleton(testPrincipal); @@ -140,7 +141,7 @@ public void testNotHasPrivilegePrincipal() throws Exception { @Test public void testGetPrivileges() throws Exception { - try (ContentSession cs = Subject.doAsPrivileged(getTestSubject(), (PrivilegedExceptionAction) () -> getContentRepository().login(null, null), null)) { + try (ContentSession cs = Java23Subject.doAsPrivileged(getTestSubject(), (PrivilegedExceptionAction) () -> getContentRepository().login(null, null), null)) { PrincipalBasedAccessControlManager testAcMgr = new PrincipalBasedAccessControlManager(getMgrProvider(cs.getLatestRoot()), getFilterProvider()); Privilege[] expected = privilegesFromNames(JCR_READ); @@ -152,7 +153,7 @@ public void testGetPrivileges() throws Exception { @Test(expected = PathNotFoundException.class) public void testGetPrivilegesAtRoot() throws Exception { - try (ContentSession cs = Subject.doAsPrivileged(getTestSubject(), (PrivilegedExceptionAction) () -> getContentRepository().login(null, null), null)) { + try (ContentSession cs = Java23Subject.doAsPrivileged(getTestSubject(), (PrivilegedExceptionAction) () -> getContentRepository().login(null, null), null)) { PrincipalBasedAccessControlManager testAcMgr = new PrincipalBasedAccessControlManager(getMgrProvider(cs.getLatestRoot()), getFilterProvider()); testAcMgr.getPrivileges(ROOT_PATH); } @@ -186,7 +187,7 @@ public void testGetEffectivePoliciesNullPath() throws Exception { @Test(expected = AccessDeniedException.class) public void testGetEffectivePoliciesLimitedAccess() throws Exception { - try (ContentSession cs = Subject.doAsPrivileged(getTestSubject(), (PrivilegedExceptionAction) () -> getContentRepository().login(null, null), null)) { + try (ContentSession cs = Java23Subject.doAsPrivileged(getTestSubject(), (PrivilegedExceptionAction) () -> getContentRepository().login(null, null), null)) { PrincipalBasedAccessControlManager testAcMgr = new PrincipalBasedAccessControlManager(getMgrProvider(cs.getLatestRoot()), getFilterProvider()); testAcMgr.getEffectivePolicies(readablePaths.next()); } @@ -201,7 +202,7 @@ public void testGetEffectivePoliciesLimitedAccess2() throws Exception { root.commit(); // test-session can read-ac at readable path but cannot access principal-based policy - try (ContentSession cs = Subject.doAsPrivileged(getTestSubject(), (PrivilegedExceptionAction) () -> getContentRepository().login(null, null), null)) { + try (ContentSession cs = Java23Subject.doAsPrivileged(getTestSubject(), (PrivilegedExceptionAction) () -> getContentRepository().login(null, null), null)) { PrincipalBasedAccessControlManager testAcMgr = new PrincipalBasedAccessControlManager(getMgrProvider(cs.getLatestRoot()), getFilterProvider()); Set effective = ImmutableSet.copyOf(testAcMgr.getEffectivePolicies(path)); @@ -220,7 +221,7 @@ public void testGetEffectivePoliciesLimitedAccess3() throws Exception { root.commit(); // test-session can read-ac at readable path and at principal-based policy - try (ContentSession cs = Subject.doAsPrivileged(getTestSubject(), (PrivilegedExceptionAction) () -> getContentRepository().login(null, null), null)) { + try (ContentSession cs = Java23Subject.doAsPrivileged(getTestSubject(), (PrivilegedExceptionAction) () -> getContentRepository().login(null, null), null)) { PrincipalBasedAccessControlManager testAcMgr = new PrincipalBasedAccessControlManager(getMgrProvider(cs.getLatestRoot()), getFilterProvider()); Set effective = CollectionUtils.toSet(testAcMgr.getEffectivePolicies(path)); diff --git a/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/AbstractTest.java b/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/AbstractTest.java index 099d8107e79..36b264c203d 100644 --- a/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/AbstractTest.java +++ b/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/AbstractTest.java @@ -36,6 +36,7 @@ import org.apache.commons.lang3.ArrayUtils; import org.apache.commons.math3.stat.descriptive.DescriptiveStatistics; import org.apache.commons.math3.stat.descriptive.SynchronizedDescriptiveStatistics; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.commons.Profiler; import org.apache.jackrabbit.oak.fixture.RepositoryFixture; import org.apache.jackrabbit.oak.spi.security.authentication.SystemSubject; @@ -585,7 +586,7 @@ protected Session systemLogin() { protected Session loginSubject(@NotNull Subject subject) { try { - return Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { + return Java23Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { @Override public Session run() throws Exception { return getRepository().login(null, null); diff --git a/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/CugOakTest.java b/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/CugOakTest.java index 53ad214caf9..a9fe6114352 100644 --- a/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/CugOakTest.java +++ b/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/CugOakTest.java @@ -29,6 +29,7 @@ import org.apache.jackrabbit.oak.api.ContentSession; import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Root; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.fixture.JcrCreator; import org.apache.jackrabbit.oak.fixture.OakRepositoryFixture; import org.apache.jackrabbit.oak.fixture.RepositoryFixture; @@ -89,7 +90,7 @@ protected void runTest() throws Exception { if (singleSession) { readSession = cs; } else { - readSession = Subject.doAs(subject, new PrivilegedAction() { + readSession = Java23Subject.doAs(subject, new PrivilegedAction() { @Override public ContentSession run() { try { diff --git a/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/LoginSystemTest.java b/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/LoginSystemTest.java index 5e3d2911033..12851cb5430 100644 --- a/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/LoginSystemTest.java +++ b/oak-benchmarks/src/main/java/org/apache/jackrabbit/oak/benchmark/LoginSystemTest.java @@ -25,6 +25,7 @@ import javax.security.auth.Subject; import org.apache.jackrabbit.core.security.SystemPrincipal; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.jcr.repository.RepositoryImpl; import org.apache.jackrabbit.oak.spi.security.authentication.SystemSubject; @@ -46,7 +47,7 @@ public void beforeSuite() throws Exception { public void runTest() throws RepositoryException { for (int i = 0; i < COUNT; i++) { try { - Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { + Java23Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { @Override public Session run() throws Exception { return getRepository().login(null, null); diff --git a/oak-commons/pom.xml b/oak-commons/pom.xml index a3d43214ee3..d10d8de791a 100644 --- a/oak-commons/pom.xml +++ b/oak-commons/pom.xml @@ -55,7 +55,8 @@ org.apache.jackrabbit.oak.commons.json, org.apache.jackrabbit.oak.commons.log, org.apache.jackrabbit.oak.commons.sort, - org.apache.jackrabbit.oak.commons.properties + org.apache.jackrabbit.oak.commons.properties, + org.apache.jackrabbit.oak.commons.jdkcompat diff --git a/oak-commons/src/main/java/org/apache/jackrabbit/oak/commons/jdkcompat/Java23Subject.java b/oak-commons/src/main/java/org/apache/jackrabbit/oak/commons/jdkcompat/Java23Subject.java new file mode 100644 index 00000000000..63c4fe248e6 --- /dev/null +++ b/oak-commons/src/main/java/org/apache/jackrabbit/oak/commons/jdkcompat/Java23Subject.java @@ -0,0 +1,115 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.commons.jdkcompat; + +import javax.security.auth.Subject; +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; +import java.security.AccessControlContext; +import java.security.AccessController; +import java.security.PrivilegedAction; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; +import java.util.concurrent.Callable; + +/** + * This class contains methods replacing the deprecated + * {@link Subject#getSubject(AccessControlContext)} + * and associated methods, which changed their behavior + * with Java 23 (@see https://inside.java/2024/07/08/quality-heads-up). + */ +public class Java23Subject { + + static Method current, callAs; + + static { + try { + current = Subject.class.getMethod("current"); + callAs = Subject.class.getMethod("callAs", Subject.class, Callable.class); + } catch (NoSuchMethodException ignored) {} + } + + public static Subject getSubject() { + Subject result; + if (current != null) { + try { + result = (Subject) current.invoke(null); + } catch (InvocationTargetException | IllegalAccessException e) { + throw new SecurityException(e); + } + } else { + result = Subject.getSubject(AccessController.getContext()); + } + return result; + } + + public static T doAs(Subject subject, PrivilegedAction action) { + T result; + if (callAs != null) { + try { + result = (T) callAs.invoke(null, subject, (Callable) () -> action.run()); + } catch (InvocationTargetException | IllegalAccessException e) { + throw new SecurityException(e); + } + } else { + result = Subject.doAs(subject, action); + } + return result; + } + + public static T doAsPrivileged(Subject subject, PrivilegedAction action, AccessControlContext acc) { + T result; + if (callAs != null) { + try { + result = (T) callAs.invoke(null, subject, (Callable) () -> action.run()); + } catch (InvocationTargetException | IllegalAccessException e) { + throw new SecurityException(e); + } + } else { + result = Subject.doAsPrivileged(subject, action, acc); + } + return result; + } + + public static T doAs(Subject subject, PrivilegedExceptionAction action) throws PrivilegedActionException { + T result; + if (callAs != null) { + try { + result = (T) callAs.invoke(null, subject, (Callable) () -> action.run()); + } catch (InvocationTargetException | IllegalAccessException e) { + throw new SecurityException(e); + } + } else { + result = Subject.doAs(subject, action); + } + return result; + } + + public static T doAsPrivileged(Subject subject, PrivilegedExceptionAction action, AccessControlContext acc) throws PrivilegedActionException { + T result; + if (callAs != null) { + try { + result = (T) callAs.invoke(null, subject, (Callable) () -> action.run()); + } catch (InvocationTargetException | IllegalAccessException e) { + throw new SecurityException(e); + } + } else { + result = Subject.doAsPrivileged(subject, action, acc); + } + return result; + } +} diff --git a/oak-commons/src/main/java/org/apache/jackrabbit/oak/commons/jdkcompat/package-info.java b/oak-commons/src/main/java/org/apache/jackrabbit/oak/commons/jdkcompat/package-info.java new file mode 100755 index 00000000000..d7ad32e566f --- /dev/null +++ b/oak-commons/src/main/java/org/apache/jackrabbit/oak/commons/jdkcompat/package-info.java @@ -0,0 +1,28 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/** + * Package containing utilities to handle incompatible JDK changes. + */ +@Internal +@Version("1.0.0") +package org.apache.jackrabbit.oak.commons.jdkcompat; + +import org.apache.jackrabbit.oak.commons.annotations.Internal; +import org.osgi.annotation.versioning.Version; diff --git a/oak-commons/src/test/java/org/apache/jackrabbit/oak/commons/jdkcompat/Java23SubjectTest.java b/oak-commons/src/test/java/org/apache/jackrabbit/oak/commons/jdkcompat/Java23SubjectTest.java new file mode 100755 index 00000000000..a74deb2bb44 --- /dev/null +++ b/oak-commons/src/test/java/org/apache/jackrabbit/oak/commons/jdkcompat/Java23SubjectTest.java @@ -0,0 +1,58 @@ +package org.apache.jackrabbit.oak.commons.jdkcompat; + +import org.junit.Test; + +import javax.security.auth.Subject; + +import java.security.PrivilegedAction; +import java.util.Arrays; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; + +public class Java23SubjectTest { + + static int specVersion = Runtime.version().feature(); + + @Test + public void testApiExistence() { + if (specVersion > 17) { + assertNotNull(Java23Subject.current); + assertNotNull(Java23Subject.callAs); + } else { + assertNull(Java23Subject.current); + assertNull(Java23Subject.callAs); + } + } + + @Test + public void testApiFunction() { + Subject subject = new Subject(); + if (specVersion > 17) { + assertEquals(subject, + Java23Subject.doAs(subject, (PrivilegedAction) () -> { + assertEquals(Java23Subject.getSubject(), subject); + StackTraceElement[] stackTrace = Thread.currentThread().getStackTrace(); + assertFalse(Arrays.stream(stackTrace) + .map(elt -> elt.getMethodName()) + .filter(name -> "callAs".equals(name)) + .findFirst() + .isEmpty()); + return subject; + })); + } else { + assertEquals(subject, + Java23Subject.doAs(subject, (PrivilegedAction) () -> { + assertEquals(Java23Subject.getSubject(), subject); + StackTraceElement[] stackTrace = Thread.currentThread().getStackTrace(); + assertTrue(Arrays.stream(stackTrace) + .map(elt -> elt.getMethodName()) + .filter(name -> "doAs".equals(name)).count() == 2); + return subject; + })); + } + } +} diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java index b2fc75d1607..d8c38caba87 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java @@ -16,7 +16,6 @@ */ package org.apache.jackrabbit.oak.security.authentication; -import java.security.AccessController; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; @@ -27,6 +26,7 @@ import javax.security.auth.login.LoginException; import org.apache.jackrabbit.oak.api.ContentRepository; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; import org.apache.jackrabbit.oak.spi.security.authentication.ConfigurationUtil; @@ -94,7 +94,7 @@ public LoginContext getLoginContext(Credentials credentials, String workspaceNam private static Subject getSubject() { Subject subject = null; try { - subject = Subject.getSubject(AccessController.getContext()); + subject = Java23Subject.getSubject(); } catch (SecurityException e) { log.debug("Can't check for pre-authenticated subject. Reason: {}", e.getMessage()); } diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/plugins/observation/ChangeCollectorProviderTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/plugins/observation/ChangeCollectorProviderTest.java index 21c4630ddcc..832d394804e 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/plugins/observation/ChangeCollectorProviderTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/plugins/observation/ChangeCollectorProviderTest.java @@ -36,7 +36,6 @@ import java.util.Set; import javax.jcr.NoSuchWorkspaceException; -import javax.security.auth.Subject; import javax.security.auth.login.LoginException; import org.apache.jackrabbit.JcrConstants; @@ -48,6 +47,7 @@ import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.api.Type; import org.apache.jackrabbit.oak.InitialContent; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.security.internal.SecurityProviderBuilder; import org.apache.jackrabbit.oak.spi.commit.CommitContext; import org.apache.jackrabbit.oak.spi.commit.CommitInfo; @@ -142,7 +142,7 @@ public void setup() throws PrivilegedActionException, CommitFailedException { .with(getSecurityProvider()); contentRepository = oak.createContentRepository(); - session = Subject.doAs(SystemSubject.INSTANCE, new PrivilegedExceptionAction() { + session = Java23Subject.doAs(SystemSubject.INSTANCE, new PrivilegedExceptionAction() { @Override public ContentSession run() throws LoginException, NoSuchWorkspaceException { return contentRepository.login(null, null); diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImplTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImplTest.java index c94b7076f86..9b63b8b65b7 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImplTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImplTest.java @@ -33,6 +33,7 @@ import javax.security.auth.login.LoginException; import org.apache.jackrabbit.oak.AbstractSecurityTest; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.authentication.AuthenticationConfiguration; import org.apache.jackrabbit.oak.spi.security.authentication.GuestLoginModule; @@ -121,7 +122,7 @@ public void getLoginContextWithoutCredentials() throws Exception { @Test public void testGetPreAuthLoginContext() { Subject subject = new Subject(true, Set.of(), Set.of(), Set.of()); - LoginContext ctx = Subject.doAs(subject, (PrivilegedAction) () -> { + LoginContext ctx = Java23Subject.doAs(subject, (PrivilegedAction) () -> { try { return lcProvider.getLoginContext(null, null); } catch (LoginException e) { diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/PreAuthTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/PreAuthTest.java index 57577fa5981..43cd02b9330 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/PreAuthTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/PreAuthTest.java @@ -30,6 +30,7 @@ import org.apache.jackrabbit.oak.AbstractSecurityTest; import org.apache.jackrabbit.oak.api.AuthInfo; import org.apache.jackrabbit.oak.api.ContentSession; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.spi.security.authentication.AuthInfoImpl; import org.apache.jackrabbit.oak.spi.security.authentication.SystemSubject; import org.jetbrains.annotations.Nullable; @@ -66,7 +67,7 @@ public AppConfigurationEntry[] getAppConfigurationEntry(String s) { @Test public void testValidSubject() throws Exception { final Subject subject = new Subject(true, principals, Collections.emptySet(), Collections.emptySet()); - ContentSession cs = Subject.doAsPrivileged(subject, new PrivilegedAction() { + ContentSession cs = Java23Subject.doAsPrivileged(subject, new PrivilegedAction() { @Override public @Nullable ContentSession run() { try { @@ -93,7 +94,7 @@ public void testValidSubject() throws Exception { public void testValidSubjectWithCredentials() throws Exception { Set publicCreds = Collections.singleton(new SimpleCredentials("testUserId", new char[0])); final Subject subject = new Subject(false, principals, publicCreds, Collections.emptySet()); - ContentSession cs = Subject.doAsPrivileged(subject, new PrivilegedAction() { + ContentSession cs = Java23Subject.doAsPrivileged(subject, new PrivilegedAction() { @Override public @Nullable ContentSession run() { try { @@ -120,7 +121,7 @@ public void testValidSubjectWithCredentials() throws Exception { public void testValidReadSubjectWithCredentials() throws Exception { Set publicCreds = Collections.singleton(new SimpleCredentials("testUserId", new char[0])); final Subject subject = new Subject(true, principals, publicCreds, Collections.emptySet()); - ContentSession cs = Subject.doAsPrivileged(subject, new PrivilegedAction() { + ContentSession cs = Java23Subject.doAsPrivileged(subject, new PrivilegedAction() { @Override public @Nullable ContentSession run() { try { @@ -148,7 +149,7 @@ public void testValidSubjectWithAuthInfo() throws Exception { AuthInfo info = new AuthInfoImpl("testUserId", Collections.emptyMap(), Collections.emptySet()); Set publicCreds = Collections.singleton(info); final Subject subject = new Subject(false, Collections.singleton(new TestPrincipal()), publicCreds, Collections.emptySet()); - ContentSession cs = Subject.doAsPrivileged(subject, new PrivilegedAction() { + ContentSession cs = Java23Subject.doAsPrivileged(subject, new PrivilegedAction() { @Override public @Nullable ContentSession run() { try { @@ -171,7 +172,7 @@ public void testValidSubjectWithAuthInfo() throws Exception { @Test public void testSubjectAndCredentials() throws Exception { final Subject subject = new Subject(true, principals, Collections.emptySet(), Collections.emptySet()); - ContentSession cs = Subject.doAsPrivileged(subject, new PrivilegedAction() { + ContentSession cs = Java23Subject.doAsPrivileged(subject, new PrivilegedAction() { @Override public @Nullable ContentSession run() { ContentSession cs; @@ -204,7 +205,7 @@ public void testNullLogin() throws Exception { @Test public void testSystemSubject() throws Exception { - ContentSession cs = Subject.doAsPrivileged(SystemSubject.INSTANCE, new PrivilegedAction() { + ContentSession cs = Java23Subject.doAsPrivileged(SystemSubject.INSTANCE, new PrivilegedAction() { @Override public @Nullable ContentSession run() { try { diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImplTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImplTest.java index 6f2e98a4926..504f891cbff 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImplTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImplTest.java @@ -26,6 +26,7 @@ import org.apache.jackrabbit.oak.api.ContentRepository; import org.apache.jackrabbit.oak.api.ContentSession; import org.apache.jackrabbit.oak.api.Root; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.commons.junit.LogCustomizer; import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.security.internal.SecurityProviderBuilder; @@ -674,7 +675,7 @@ public void testCommitReadOnlySubject() throws Exception { public void testLoginLogoutPreexistingReadonlySubject() throws Exception { createTestUser(); Subject subject = new Subject(true, Collections.singleton(() -> "JMXPrincipal: foo"), Collections.EMPTY_SET, Collections.EMPTY_SET); - Subject.doAs(subject, (PrivilegedExceptionAction) () -> { + Java23Subject.doAs(subject, (PrivilegedExceptionAction) () -> { LogCustomizer logCustomizer = LogCustomizer .forLogger("org.apache.jackrabbit.oak.core.ContentSessionImpl") .enable(Level.ERROR) diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/RepoPolicyTreePermissionTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/RepoPolicyTreePermissionTest.java index d9364352865..540f76ee7e3 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/RepoPolicyTreePermissionTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/permission/RepoPolicyTreePermissionTest.java @@ -30,6 +30,7 @@ import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.commons.PathUtils; import org.apache.jackrabbit.oak.plugins.memory.EmptyNodeState; import org.apache.jackrabbit.oak.plugins.memory.PropertyStates; @@ -77,7 +78,7 @@ public void before() throws Exception { accessSession = createTestSession(); Subject notAllowedSubject = new Subject(true, Set.of(EveryonePrincipal.getInstance()), Set.of(), Set.of()); - noAccessSession = Subject.doAs(notAllowedSubject, (PrivilegedAction) () -> { + noAccessSession = Java23Subject.doAs(notAllowedSubject, (PrivilegedAction) () -> { try { return getContentRepository().login(null, null); } catch (Exception e) { diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/CacheValidatorProviderTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/CacheValidatorProviderTest.java index 41d72d61503..52498b7e0c0 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/CacheValidatorProviderTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/CacheValidatorProviderTest.java @@ -27,6 +27,7 @@ import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.api.Type; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.commons.PathUtils; import org.apache.jackrabbit.oak.plugins.memory.PropertyStates; import org.apache.jackrabbit.oak.plugins.tree.TreeUtil; @@ -43,7 +44,6 @@ import org.junit.Test; import javax.jcr.RepositoryException; -import javax.security.auth.Subject; import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.List; @@ -89,7 +89,7 @@ private Tree getAuthorizableTree(@NotNull Authorizable authorizable) throws Repo private Tree getCache(@NotNull Authorizable authorizable) throws Exception { // Creating CachedMembershipReader as this is the only class allowed to write in rep:cache - try (ContentSession cs = Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> login(null))) { + try (ContentSession cs = Java23Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> login(null))) { Root r = cs.getLatestRoot(); Tree n = r.getTree(authorizable.getPath()); CachedMembershipReader reader = new CachedPrincipalMembershipReader( diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/CachedGroupPrincipalTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/CachedGroupPrincipalTest.java index ab8d02941d7..1d7d5bf3971 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/CachedGroupPrincipalTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/CachedGroupPrincipalTest.java @@ -24,6 +24,7 @@ import org.apache.jackrabbit.oak.AbstractSecurityTest; import org.apache.jackrabbit.oak.api.ContentSession; import org.apache.jackrabbit.oak.api.Root; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.authentication.SystemSubject; @@ -34,7 +35,6 @@ import org.junit.Test; import javax.jcr.RepositoryException; -import javax.security.auth.Subject; import java.security.Principal; import java.security.PrivilegedExceptionAction; import java.util.Enumeration; @@ -112,7 +112,7 @@ protected ConfigurationParameters getSecurityConfigParameters() { private ContentSession getSystemSession() throws Exception { if (systemSession == null) { - systemSession = Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> login(null)); + systemSession = Java23Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> login(null)); } return systemSession; } diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/CachedPrincipalMembershipReaderTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/CachedPrincipalMembershipReaderTest.java index e3059a87bfc..b10759550d4 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/CachedPrincipalMembershipReaderTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/CachedPrincipalMembershipReaderTest.java @@ -48,11 +48,10 @@ import java.util.Set; import java.util.UUID; import javax.jcr.RepositoryException; -import javax.security.auth.Subject; + import org.apache.jackrabbit.JcrConstants; import org.apache.jackrabbit.api.security.user.Authorizable; import org.apache.jackrabbit.api.security.user.Group; -import org.apache.jackrabbit.guava.common.collect.Lists; import org.apache.jackrabbit.oak.AbstractSecurityTest; import org.apache.jackrabbit.oak.api.CommitFailedException; import org.apache.jackrabbit.oak.api.ContentSession; @@ -60,6 +59,7 @@ import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.api.Type; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.commons.junit.LogCustomizer; import org.apache.jackrabbit.oak.spi.security.user.cache.CachedMembershipReader; import org.apache.jackrabbit.oak.spi.security.user.cache.CacheLoader; @@ -204,7 +204,7 @@ protected ConfigurationParameters getSecurityConfigParameters() { private Root getSystemRoot() throws Exception { if (systemSession == null) { - systemSession = Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> login(null)); + systemSession = Java23Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> login(null)); } return systemSession.getLatestRoot(); } diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/PasswordExpiryAdminTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/PasswordExpiryAdminTest.java index 179892d196c..86d93643612 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/PasswordExpiryAdminTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/PasswordExpiryAdminTest.java @@ -23,6 +23,7 @@ import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.api.Type; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager; import org.apache.jackrabbit.oak.plugins.tree.TreeUtil; import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants; @@ -36,7 +37,6 @@ import org.junit.Test; import javax.jcr.SimpleCredentials; -import javax.security.auth.Subject; import javax.security.auth.login.CredentialExpiredException; import javax.security.auth.login.LoginException; import java.security.PrivilegedActionException; @@ -73,7 +73,7 @@ protected ConfigurationParameters getSecurityConfigParameters() { @Override protected ContentSession createAdminSession(@NotNull ContentRepository repository) { try { - return Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> repository.login(null, null)); + return Java23Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> repository.login(null, null)); } catch (PrivilegedActionException e) { throw new RuntimeException(e); } diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/UserInitializerTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/UserInitializerTest.java index 6e47ff5fcc0..6edd57e099b 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/UserInitializerTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/UserInitializerTest.java @@ -27,6 +27,7 @@ import org.apache.jackrabbit.oak.api.ContentSession; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.commons.PathUtils; import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.plugins.index.IndexConstants; @@ -48,7 +49,6 @@ import javax.jcr.GuestCredentials; import javax.jcr.SimpleCredentials; -import javax.security.auth.Subject; import javax.security.auth.login.LoginException; import java.security.PrivilegedExceptionAction; import java.util.HashMap; @@ -173,7 +173,7 @@ public void testAdminConfiguration() throws Exception { .with(sp) .createContentRepository(); - try (ContentSession cs = Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> repo.login(null, null))) { + try (ContentSession cs = Java23Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> repo.login(null, null))) { Root root = cs.getLatestRoot(); UserConfiguration uc = sp.getConfiguration(UserConfiguration.class); UserManager umgr = uc.getUserManager(root, NamePathMapper.DEFAULT); @@ -210,7 +210,7 @@ public void testAnonymousConfiguration() throws Exception { .with(sp) .createContentRepository(); - try (ContentSession cs = Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> repo.login(null, null))) { + try (ContentSession cs = Java23Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> repo.login(null, null))) { Root root = cs.getLatestRoot(); UserConfiguration uc = sp.getConfiguration(UserConfiguration.class); UserManager umgr = uc.getUserManager(root, NamePathMapper.DEFAULT); diff --git a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/UserPrincipalProviderWithCacheTest.java b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/UserPrincipalProviderWithCacheTest.java index bbe8179dc68..9ffab3c9a14 100644 --- a/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/UserPrincipalProviderWithCacheTest.java +++ b/oak-core/src/test/java/org/apache/jackrabbit/oak/security/user/UserPrincipalProviderWithCacheTest.java @@ -28,6 +28,7 @@ import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.Tree; import org.apache.jackrabbit.oak.api.Type; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.plugins.memory.PropertyStates; import org.apache.jackrabbit.oak.plugins.tree.TreeUtil; import org.apache.jackrabbit.oak.security.principal.AbstractPrincipalProviderTest; @@ -39,13 +40,10 @@ import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider; import org.apache.jackrabbit.oak.spi.security.user.cache.CacheConstants; import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration; -import org.apache.jackrabbit.oak.security.user.CacheConfiguration; -import org.apache.jackrabbit.oak.spi.security.user.cache.CacheConstants; import org.jetbrains.annotations.NotNull; import org.junit.Test; import javax.jcr.SimpleCredentials; -import javax.security.auth.Subject; import java.security.Principal; import java.security.PrivilegedExceptionAction; import java.util.ArrayList; @@ -111,7 +109,7 @@ private PrincipalProvider createPrincipalProvider(Root root) { private ContentSession getSystemSession() throws Exception { if (systemSession == null) { - systemSession = Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> login(null)); + systemSession = Java23Subject.doAs(SystemSubject.INSTANCE, (PrivilegedExceptionAction) () -> login(null)); } return systemSession; } diff --git a/oak-doc/src/site/markdown/security/authentication/preauthentication.md b/oak-doc/src/site/markdown/security/authentication/preauthentication.md index b958ab77692..c23a2f2b003 100644 --- a/oak-doc/src/site/markdown/security/authentication/preauthentication.md +++ b/oak-doc/src/site/markdown/security/authentication/preauthentication.md @@ -137,7 +137,7 @@ Example how to use this type of pre-authentication: Subject subject = new Subject(true, principals, Collections.singleton(authInfo), Collections.emptySet()); Session session; try { - session = Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { + session = Java23Compatibility.doAsPrivileged(subject, new PrivilegedExceptionAction() { @Override public Session run() throws Exception { return login(null, null); diff --git a/oak-examples/webapp/src/main/java/org/apache/jackrabbit/j2ee/IndexInitializer.java b/oak-examples/webapp/src/main/java/org/apache/jackrabbit/j2ee/IndexInitializer.java index 0808528ce91..fa0df8a3ab0 100644 --- a/oak-examples/webapp/src/main/java/org/apache/jackrabbit/j2ee/IndexInitializer.java +++ b/oak-examples/webapp/src/main/java/org/apache/jackrabbit/j2ee/IndexInitializer.java @@ -34,6 +34,7 @@ import org.apache.jackrabbit.JcrConstants; import org.apache.jackrabbit.commons.JcrUtils; import org.apache.jackrabbit.oak.api.AuthInfo; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.plugins.index.IndexConstants; import org.apache.jackrabbit.oak.plugins.index.lucene.LuceneIndexConstants; import org.apache.jackrabbit.oak.plugins.index.search.FulltextIndexConstants; @@ -119,7 +120,7 @@ public String getName() { Subject subject = new Subject(true, singleton(admin), singleton(authInfo), Collections.emptySet()); Session adminSession; try { - adminSession = Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { + adminSession = Java23Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { @Override public Session run() throws Exception { return repository.login(); diff --git a/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authentication/L9_NullLoginTest.java b/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authentication/L9_NullLoginTest.java index 5b722e9d0df..f02667589d0 100644 --- a/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authentication/L9_NullLoginTest.java +++ b/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authentication/L9_NullLoginTest.java @@ -25,6 +25,7 @@ import javax.security.auth.Subject; import javax.security.auth.login.Configuration; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.test.AbstractJCRTest; /** @@ -112,7 +113,7 @@ public void testSuccessfulNullLogin() throws Exception { Subject subject = null; String expectedId = null; - testSession = Subject.doAs(subject, new PrivilegedExceptionAction() { + testSession = Java23Subject.doAs(subject, new PrivilegedExceptionAction() { @Override public Session run() throws RepositoryException { return repository.login(null, null); diff --git a/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/principalbased/AbstractPrincipalBasedTest.java b/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/principalbased/AbstractPrincipalBasedTest.java index f788f99736a..0c6ed8a58ce 100644 --- a/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/principalbased/AbstractPrincipalBasedTest.java +++ b/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/principalbased/AbstractPrincipalBasedTest.java @@ -25,6 +25,7 @@ import org.apache.jackrabbit.api.security.user.User; import org.apache.jackrabbit.oak.AbstractSecurityTest; import org.apache.jackrabbit.oak.api.ContentSession; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.commons.PathUtils; import org.apache.jackrabbit.oak.composite.MountInfoProviderService; import org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration; @@ -167,6 +168,6 @@ static PrincipalAccessControlList getApplicablePrincipalAccessControlList(@NotNu @NotNull ContentSession getTestSession(@NotNull Principal... principals) throws Exception { Subject subject = new Subject(true, ImmutableSet.copyOf(principals), Set.of(), Set.of()); - return Subject.doAsPrivileged(subject, (PrivilegedExceptionAction) () -> getContentRepository().login(null, null), null); + return Java23Subject.doAsPrivileged(subject, (PrivilegedExceptionAction) () -> getContentRepository().login(null, null), null); } } \ No newline at end of file diff --git a/oak-lucene/src/test/java/org/apache/jackrabbit/oak/composite/blueGreen/Persistence.java b/oak-lucene/src/test/java/org/apache/jackrabbit/oak/composite/blueGreen/Persistence.java index 039a43e5c48..3b69f6b4f4a 100644 --- a/oak-lucene/src/test/java/org/apache/jackrabbit/oak/composite/blueGreen/Persistence.java +++ b/oak-lucene/src/test/java/org/apache/jackrabbit/oak/composite/blueGreen/Persistence.java @@ -38,7 +38,6 @@ import javax.jcr.security.AccessControlPolicy; import javax.jcr.security.AccessControlPolicyIterator; import javax.jcr.security.Privilege; -import javax.security.auth.Subject; import org.apache.jackrabbit.JcrConstants; import org.apache.jackrabbit.api.JackrabbitRepository; @@ -50,6 +49,7 @@ import org.apache.jackrabbit.oak.api.ContentRepository; import org.apache.jackrabbit.oak.api.ContentSession; import org.apache.jackrabbit.oak.api.Root; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.composite.CompositeNodeStore; import org.apache.jackrabbit.oak.jcr.Jcr; import org.apache.jackrabbit.oak.namepath.NamePathMapper; @@ -286,7 +286,7 @@ private static void setupPermissions(ContentRepository repo, SecurityProvider securityProvider) throws RepositoryException { ContentSession cs = null; try { - cs = Subject.doAsPrivileged(SystemSubject.INSTANCE, new PrivilegedExceptionAction() { + cs = Java23Subject.doAsPrivileged(SystemSubject.INSTANCE, new PrivilegedExceptionAction() { @Override public ContentSession run() throws Exception { return repo.login(null, null); diff --git a/oak-security-spi/pom.xml b/oak-security-spi/pom.xml index 8c0680beff1..a0109aebeab 100644 --- a/oak-security-spi/pom.xml +++ b/oak-security-spi/pom.xml @@ -109,6 +109,11 @@ oak-jackrabbit-api ${project.version} + + org.apache.jackrabbit + oak-commons + ${project.version} + org.apache.jackrabbit oak-shaded-guava diff --git a/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java b/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java index 0f334ac6672..8c49550772b 100644 --- a/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java +++ b/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java @@ -42,6 +42,7 @@ import org.apache.jackrabbit.oak.api.ContentRepository; import org.apache.jackrabbit.oak.api.ContentSession; import org.apache.jackrabbit.oak.api.Root; +import org.apache.jackrabbit.oak.commons.jdkcompat.Java23Subject; import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; @@ -475,7 +476,7 @@ protected Root getRoot() { final ContentRepository repository = rcb.getContentRepository(); if (repository != null) { - systemSession = Subject.doAs(SystemSubject.INSTANCE, new PrivilegedExceptionAction() { + systemSession = Java23Subject.doAs(SystemSubject.INSTANCE, new PrivilegedExceptionAction() { @Override public ContentSession run() throws LoginException, NoSuchWorkspaceException { return repository.login(null, rcb.getWorkspaceName());