java.securty.AccessControlContext

Clark Evans (clark.evans@gartner.com)
Mon, 27 Oct 1997 01:22:57 -0500

Message-Id: <199710270621.AA09062@interlock.gartner.com>
From: Clark Evans <clark.evans@gartner.com>
To: "'gong@games.Eng.Sun.COM'" <gong@games.eng.sun.com>
Subject: java.securty.AccessControlContext
Date: Mon, 27 Oct 1997 01:22:57 -0500

Thank you for replying to my last question. New question(s)?

With reference to page:
http://java.sun.com/products/jdk/1.2/docs/guide/security/spec/security-spec.doc11.html

Say you have two threads of execution A and B.
Thread A is currently running method a() of object ObA.
Thread B is currently running method b() of object ObB.
Resource X requires a permission P to invoke x().

If a() posts an event to ObB (in a different thread)
then ObB uses the security context of thread B
and not the context of thread A. Suppose resource X.x()
is required to do the work. Delemma.

B is doing the work, A has the permissions.

Solution: Create a java.security.AccessControlContext
"acc" and pass it from thread A to thread B ?

Hmmm. In the code for X.x() would have something like this:
{
if( ! java.securty.AccessController.checkPermission( myPermission) )
raise SecurityException;

// rest of code goes here.
}

Assume that this code is part of the JDK or a compiled version
is supplied by a third party. How is ObB.b() going to tell X.x()
that it has thread A's security? The AccessController will only
return thread B's security. Sure ObB has a AccessControlContext
object with A's security, but how does this information make its way
down to X.x()?

Another question, suppose that thread A only wanted to give permission P
to thread B and not Permission N,M,or O. Is this possible?

Thank you for your time! :)

Clark

P.S. I cannot see the FAQ for this:
http://jserv.javasoft.com/hypermail/java-security-archive-1/index.html
(It is a blank page).