From a4824c623fdbb784df01c6cec0e13c953a51c196 Mon Sep 17 00:00:00 2001 From: Theresa Mammarella Date: Tue, 4 Feb 2025 16:34:30 -0500 Subject: [PATCH] Remove AccessController.doPrivileged uses from closed/src Signed-off-by: Theresa Mammarella --- .../classes/java/io/ClassByNameCache.java | 27 +++---------- .../jdk/crypto/jniprovider/NativeCrypto.java | 3 +- .../internal/security/RestrictedSecurity.java | 38 ++++++------------- 3 files changed, 18 insertions(+), 50 deletions(-) diff --git a/closed/src/java.base/share/classes/java/io/ClassByNameCache.java b/closed/src/java.base/share/classes/java/io/ClassByNameCache.java index 1aa671051c9..332caec9675 100644 --- a/closed/src/java.base/share/classes/java/io/ClassByNameCache.java +++ b/closed/src/java.base/share/classes/java/io/ClassByNameCache.java @@ -1,6 +1,6 @@ /* * =========================================================================== - * (c) Copyright IBM Corp. 2017, 2022 All Rights Reserved + * (c) Copyright IBM Corp. 2017, 2025 All Rights Reserved * =========================================================================== * * This code is free software; you can redistribute it and/or modify it @@ -26,8 +26,6 @@ import java.lang.ref.ReferenceQueue; import java.lang.ref.WeakReference; -import java.security.AccessController; -import java.security.PrivilegedAction; import java.util.Objects; import java.util.concurrent.ConcurrentHashMap; /* ClassByNameCache is Primarily responsible for Caching the results of the className lookups and hence to avoid @@ -63,8 +61,11 @@ public ClassByNameCache() { loader = loader.getParent(); } setCanonicalSystemLoaderRef(null); - AccessController.doPrivileged( - new CreateReaperAction(this, staleLoaderRefs)).start(); + + Reaper reaper = new Reaper(this, staleLoaderRefs); + com.ibm.oti.vm.VM.getVMLangAccess() + .createThread(reaper, "ClassByNameCache Reaper", true, false, true, null) + .start(); } /* * sets Canonical Loader reference for the loader @@ -197,22 +198,6 @@ Class get() throws ClassNotFoundException { } } - private static final class CreateReaperAction - implements PrivilegedAction { - private final ClassByNameCache cache; - private final ReferenceQueue queue; - - CreateReaperAction(ClassByNameCache cache, ReferenceQueue queue) { - this.cache = cache; - this.queue = queue; - } - - public Thread run() { - Reaper reaper = new Reaper(cache, queue); - return com.ibm.oti.vm.VM.getVMLangAccess().createThread(reaper, "ClassByNameCache Reaper", true, false, true, null); - } - } - private static final class Reaper implements Runnable { private final WeakReference cacheRef; private final ReferenceQueue queue; diff --git a/closed/src/java.base/share/classes/jdk/crypto/jniprovider/NativeCrypto.java b/closed/src/java.base/share/classes/jdk/crypto/jniprovider/NativeCrypto.java index cb78bdbc55b..c62c5cd9aa6 100644 --- a/closed/src/java.base/share/classes/jdk/crypto/jniprovider/NativeCrypto.java +++ b/closed/src/java.base/share/classes/jdk/crypto/jniprovider/NativeCrypto.java @@ -117,9 +117,8 @@ private static long loadCryptoLibraries() { return osslVersion; } - @SuppressWarnings("removal") private NativeCrypto() { - ossl_ver = AccessController.doPrivileged((PrivilegedAction) () -> loadCryptoLibraries()).longValue(); + ossl_ver = loadCryptoLibraries(); if (ossl_ver != -1) { isOpenSSLFIPS = isOpenSSLFIPS(); } else { diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java index 9e8d2f23a96..8746034d959 100644 --- a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java +++ b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java @@ -1,6 +1,6 @@ /* * =========================================================================== - * (c) Copyright IBM Corp. 2022, 2024 All Rights Reserved + * (c) Copyright IBM Corp. 2022, 2025 All Rights Reserved * =========================================================================== * * This code is free software; you can redistribute it and/or modify it @@ -24,10 +24,8 @@ package openj9.internal.security; import java.nio.charset.StandardCharsets; -import java.security.AccessController; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; -import java.security.PrivilegedAction; import java.security.Provider; import java.security.Provider.Service; import java.time.LocalDate; @@ -93,30 +91,20 @@ public final class RestrictedSecurity { supportedPlatformsOpenJCEPlus.put("Arch", List.of("amd64", "ppc64", "s390x")); supportedPlatformsOpenJCEPlus.put("OS", List.of("Linux", "AIX", "Windows")); - @SuppressWarnings("removal") - String[] props = AccessController.doPrivileged( - new PrivilegedAction<>() { - @Override - public String[] run() { - return new String[] { System.getProperty("semeru.fips"), - System.getProperty("semeru.customprofile"), - System.getProperty("os.name"), - System.getProperty("os.arch"), - System.getProperty("semeru.fips.allowsetproperties") }; - } - }); + String osName = System.getProperty("os.name"); + String osArch = System.getProperty("os.arch"); boolean isOsSupported, isArchSupported; // Check whether the NSS FIPS solution is supported. isOsSupported = false; for (String os: supportedPlatformsNSS.get("OS")) { - if (props[2].contains(os)) { + if (osName.contains(os)) { isOsSupported = true; } } isArchSupported = false; for (String arch: supportedPlatformsNSS.get("Arch")) { - if (props[3].contains(arch)) { + if (osArch.contains(arch)) { isArchSupported = true; } } @@ -125,13 +113,13 @@ public String[] run() { // Check whether the OpenJCEPlus FIPS solution is supported. isOsSupported = false; for (String os: supportedPlatformsOpenJCEPlus.get("OS")) { - if (props[2].contains(os)) { + if (osName.contains(os)) { isOsSupported = true; } } isArchSupported = false; for (String arch: supportedPlatformsOpenJCEPlus.get("Arch")) { - if (props[3].contains(arch)) { + if (osArch.contains(arch)) { isArchSupported = true; } } @@ -140,8 +128,8 @@ public String[] run() { // Check the default solution to see if FIPS is supported. isFIPSSupported = isNSSSupported; - userEnabledFIPS = Boolean.parseBoolean(props[0]); - allowSetProperties = Boolean.parseBoolean(props[4]); + userEnabledFIPS = Boolean.getBoolean("semeru.fips"); + allowSetProperties = Boolean.getBoolean("semeru.fips.allowsetproperties"); if (userEnabledFIPS) { if (isFIPSSupported) { @@ -151,12 +139,8 @@ public String[] run() { } // If user has specified a profile, use that - if (props[1] != null) { - selectedProfile = props[1]; - userSetProfile = true; - } else { - userSetProfile = false; - } + selectedProfile = System.getProperty("semeru.customprofile"); + userSetProfile = selectedProfile != null; // Check if FIPS is supported on this platform without explicitly setting a profile. if (userEnabledFIPS && !isFIPSSupported && !userSetProfile) {