1 /*
   2  * Copyright (c) 1998, 2024, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package javax.security.auth;
  27 
  28 import java.io.IOException;
  29 import java.io.ObjectInputStream;
  30 import java.io.ObjectOutputStream;
  31 import java.io.ObjectStreamField;
  32 import java.security.*;
  33 import java.text.MessageFormat;
  34 import java.util.*;
  35 import java.util.concurrent.Callable;
  36 import java.util.concurrent.CompletionException;
  37 
  38 import jdk.internal.access.SharedSecrets;
  39 import sun.security.util.ResourcesMgr;
  40 
  41 /**
  42  * <p> A {@code Subject} represents a grouping of related information
  43  * for a single entity, such as a person.
  44  * Such information includes the Subject's identities as well as
  45  * its security-related attributes
  46  * (passwords and cryptographic keys, for example).
  47  *
  48  * <p> Subjects may potentially have multiple identities.
  49  * Each identity is represented as a {@code Principal}
  50  * within the {@code Subject}.  Principals simply bind names to a
  51  * {@code Subject}.  For example, a {@code Subject} that happens
  52  * to be a person, Alice, might have two Principals:
  53  * one which binds "Alice Bar", the name on her driver license,
  54  * to the {@code Subject}, and another which binds,
  55  * "999-99-9999", the number on her student identification card,
  56  * to the {@code Subject}.  Both Principals refer to the same
  57  * {@code Subject} even though each has a different name.
  58  *
  59  * <p> A {@code Subject} may also own security-related attributes,
  60  * which are referred to as credentials.
  61  * Sensitive credentials that require special protection, such as
  62  * private cryptographic keys, are stored within a private credential
  63  * {@code Set}.  Credentials intended to be shared, such as
  64  * public key certificates or Kerberos server tickets are stored
  65  * within a public credential {@code Set}.  Different permissions
  66  * are required to access and modify the different credential Sets.
  67  *
  68  * <p> To retrieve all the Principals associated with a {@code Subject},
  69  * invoke the {@code getPrincipals} method.  To retrieve
  70  * all the public or private credentials belonging to a {@code Subject},
  71  * invoke the {@code getPublicCredentials} method or
  72  * {@code getPrivateCredentials} method, respectively.
  73  * To modify the returned {@code Set} of Principals and credentials,
  74  * use the methods defined in the {@code Set} class.
  75  * For example:
  76  * <pre>
  77  *      Subject subject;
  78  *      Principal principal;
  79  *      Object credential;
  80  *
  81  *      // add a Principal and credential to the Subject
  82  *      subject.getPrincipals().add(principal);
  83  *      subject.getPublicCredentials().add(credential);
  84  * </pre>
  85  *
  86  * <p> This {@code Subject} class implements {@code Serializable}.
  87  * While the Principals associated with the {@code Subject} are serialized,
  88  * the credentials associated with the {@code Subject} are not.
  89  * Note that the {@code java.security.Principal} class
  90  * does not implement {@code Serializable}.  Therefore, all concrete
  91  * {@code Principal} implementations associated with Subjects
  92  * must implement {@code Serializable}.
  93  *
  94  * <h2>Deprecated Methods and Replacements</h2>
  95  *
  96  * <p> The following methods in this class for user-based authorization
  97  * that are dependent on Security Manager APIs are deprecated for removal:
  98  * <ul>
  99  *     <li>{@link #getSubject(AccessControlContext)}
 100  *     <li>{@link #doAs(Subject, PrivilegedAction)}
 101  *     <li>{@link #doAs(Subject, PrivilegedExceptionAction)}
 102  *     <li>{@link #doAsPrivileged(Subject, PrivilegedAction, AccessControlContext)}
 103  *     <li>{@link #doAsPrivileged(Subject, PrivilegedExceptionAction, AccessControlContext)}
 104  * </ul>
 105  * Methods {@link #current()} and {@link #callAs(Subject, Callable)}
 106  * are replacements for these methods, where {@code current}
 107  * is mostly equivalent to {@code getSubject(AccessController.getContext())}
 108  * and {@code callAs} is similar to {@code doAs} except that the
 109  * input type and exceptions thrown are slightly different.
 110  *
 111  * <p id="sm-allowed"><b>These methods behave differently depending on
 112  * whether a security manager is
 113  * {@linkplain SecurityManager##set-security-manager allowed or disallowed}</b>:
 114  * <ul>
 115  * <li>If a security manager is allowed, which means it is either already set
 116  * or allowed to be set dynamically, a {@code Subject} object is associated
 117  * with an {@code AccessControlContext} through a {@code doAs} or
 118  * {@code callAs} call, and the subject can then be retrieved using the
 119  * {@code getSubject(AccessControlContext)} or {@code current} method.
 120 *  <li>If a security manager is not allowed, which means it is not set and
 121  * not allowed to be set dynamically, a {@code doAs} or {@code callAs} call
 122  * binds a {@code Subject} object to the period of execution of an action,
 123  * and the subject can be retrieved using the {@code current} method inside
 124  * the action. This subject can be inherited by child threads if they are
 125  * started and terminate within the execution of its parent thread using
 126  * structured concurrency.
 127  * </ul>
 128  *
 129  * @since 1.4
 130  * @see java.security.Principal
 131  * @see java.security.DomainCombiner
 132  */
 133 public final class Subject implements java.io.Serializable {
 134 
 135     @java.io.Serial
 136     private static final long serialVersionUID = -8308522755600156056L;
 137 
 138     /**
 139      * A {@code Set} that provides a view of all of this
 140      * Subject's Principals
 141      *
 142      * @serial Each element in this set is a
 143      *          {@code java.security.Principal}.
 144      *          The set is a {@code Subject.SecureSet}.
 145      */
 146     @SuppressWarnings("serial") // Not statically typed as Serializable
 147     Set<Principal> principals;
 148 
 149     /**
 150      * Sets that provide a view of all of this
 151      * Subject's Credentials
 152      */
 153     transient Set<Object> pubCredentials;
 154     transient Set<Object> privCredentials;
 155 
 156     /**
 157      * Whether this Subject is read-only
 158      *
 159      * @serial
 160      */
 161     private volatile boolean readOnly;
 162 
 163     private static final int PRINCIPAL_SET = 1;
 164     private static final int PUB_CREDENTIAL_SET = 2;
 165     private static final int PRIV_CREDENTIAL_SET = 3;
 166 
 167     private static final ProtectionDomain[] NULL_PD_ARRAY
 168         = new ProtectionDomain[0];
 169 
 170     /**
 171      * Create an instance of a {@code Subject}
 172      * with an empty {@code Set} of Principals and empty
 173      * Sets of public and private credentials.
 174      *
 175      * <p> The newly constructed Sets check whether this {@code Subject}
 176      * has been set read-only before permitting subsequent modifications.
 177      * The newly created Sets also prevent illegal modifications
 178      * by ensuring that callers have sufficient permissions.  These Sets
 179      * also prohibit null elements, and attempts to add, query, or remove
 180      * a null element will result in a {@code NullPointerException}.
 181      *
 182      * <p> To modify the Principals Set, the caller must have
 183      * {@code AuthPermission("modifyPrincipals")}.
 184      * To modify the public credential Set, the caller must have
 185      * {@code AuthPermission("modifyPublicCredentials")}.
 186      * To modify the private credential Set, the caller must have
 187      * {@code AuthPermission("modifyPrivateCredentials")}.
 188      */
 189     public Subject() {
 190 
 191         this.principals = Collections.synchronizedSet
 192                         (new SecureSet<>(this, PRINCIPAL_SET));
 193         this.pubCredentials = Collections.synchronizedSet
 194                         (new SecureSet<>(this, PUB_CREDENTIAL_SET));
 195         this.privCredentials = Collections.synchronizedSet
 196                         (new SecureSet<>(this, PRIV_CREDENTIAL_SET));
 197     }
 198 
 199     /**
 200      * Create an instance of a {@code Subject} with
 201      * Principals and credentials.
 202      *
 203      * <p> The Principals and credentials from the specified Sets
 204      * are copied into newly constructed Sets.
 205      * These newly created Sets check whether this {@code Subject}
 206      * has been set read-only before permitting subsequent modifications.
 207      * The newly created Sets also prevent illegal modifications
 208      * by ensuring that callers have sufficient permissions.  These Sets
 209      * also prohibit null elements, and attempts to add, query, or remove
 210      * a null element will result in a {@code NullPointerException}.
 211      *
 212      * <p> To modify the Principals Set, the caller must have
 213      * {@code AuthPermission("modifyPrincipals")}.
 214      * To modify the public credential Set, the caller must have
 215      * {@code AuthPermission("modifyPublicCredentials")}.
 216      * To modify the private credential Set, the caller must have
 217      * {@code AuthPermission("modifyPrivateCredentials")}.
 218      *
 219      * @param readOnly true if the {@code Subject} is to be read-only,
 220      *          and false otherwise.
 221      *
 222      * @param principals the {@code Set} of Principals
 223      *          to be associated with this {@code Subject}.
 224      *
 225      * @param pubCredentials the {@code Set} of public credentials
 226      *          to be associated with this {@code Subject}.
 227      *
 228      * @param privCredentials the {@code Set} of private credentials
 229      *          to be associated with this {@code Subject}.
 230      *
 231      * @throws NullPointerException if the specified
 232      *          {@code principals}, {@code pubCredentials},
 233      *          or {@code privCredentials} are {@code null},
 234      *          or a null value exists within any of these three
 235      *          Sets.
 236      */
 237     public Subject(boolean readOnly, Set<? extends Principal> principals,
 238                    Set<?> pubCredentials, Set<?> privCredentials) {
 239         LinkedList<Principal> principalList
 240                 = collectionNullClean(principals);
 241         LinkedList<Object> pubCredsList
 242                 = collectionNullClean(pubCredentials);
 243         LinkedList<Object> privCredsList
 244                 = collectionNullClean(privCredentials);
 245 
 246         this.principals = Collections.synchronizedSet(
 247                 new SecureSet<>(this, PRINCIPAL_SET, principalList));
 248         this.pubCredentials = Collections.synchronizedSet(
 249                 new SecureSet<>(this, PUB_CREDENTIAL_SET, pubCredsList));
 250         this.privCredentials = Collections.synchronizedSet(
 251                 new SecureSet<>(this, PRIV_CREDENTIAL_SET, privCredsList));
 252         this.readOnly = readOnly;
 253     }
 254 
 255     /**
 256      * Set this {@code Subject} to be read-only.
 257      *
 258      * <p> Modifications (additions and removals) to this Subject's
 259      * {@code Principal} {@code Set} and
 260      * credential Sets will be disallowed.
 261      * The {@code destroy} operation on this Subject's credentials will
 262      * still be permitted.
 263      *
 264      * <p> Subsequent attempts to modify the Subject's {@code Principal}
 265      * and credential Sets will result in an
 266      * {@code IllegalStateException} being thrown.
 267      * Also, once a {@code Subject} is read-only,
 268      * it can not be reset to being writable again.
 269      *
 270      * @throws SecurityException if a security manager is installed and the
 271      *         caller does not have an
 272      *         {@link AuthPermission#AuthPermission(String)
 273      *         AuthPermission("setReadOnly")} permission to set this
 274      *         {@code Subject} to be read-only.
 275      */
 276     public void setReadOnly() {
 277         @SuppressWarnings("removal")
 278         java.lang.SecurityManager sm = System.getSecurityManager();
 279         if (sm != null) {
 280             sm.checkPermission(AuthPermissionHolder.SET_READ_ONLY_PERMISSION);
 281         }
 282 
 283         this.readOnly = true;
 284     }
 285 
 286     /**
 287      * Query whether this {@code Subject} is read-only.
 288      *
 289      * @return true if this {@code Subject} is read-only, false otherwise.
 290      */
 291     public boolean isReadOnly() {
 292         return this.readOnly;
 293     }
 294 
 295     /**
 296      * Get the {@code Subject} associated with the provided
 297      * {@code AccessControlContext}. This method is intended to be used with
 298      * a security manager. It throws an {@code UnsupportedOperationException}
 299      * if a security manager is not allowed.
 300      *
 301      * <p> The {@code AccessControlContext} may contain many
 302      * Subjects (from nested {@code doAs} calls).
 303      * In this situation, the most recent {@code Subject} associated
 304      * with the {@code AccessControlContext} is returned.
 305      *
 306      * @param  acc the {@code AccessControlContext} from which to retrieve
 307      *          the {@code Subject}.
 308      *
 309      * @return  the {@code Subject} associated with the provided
 310      *          {@code AccessControlContext}, or {@code null}
 311      *          if no {@code Subject} is associated
 312      *          with the provided {@code AccessControlContext}.
 313      *
 314      * @throws UnsupportedOperationException if a security manager is
 315      *          not allowed
 316      *
 317      * @throws SecurityException if a security manager is installed and the
 318      *          caller does not have an
 319      *          {@link AuthPermission#AuthPermission(String)
 320      *          AuthPermission("getSubject")} permission to get the
 321      *          {@code Subject}.
 322      *
 323      * @throws NullPointerException if the provided
 324      *          {@code AccessControlContext} is {@code null}.
 325      *
 326      * @deprecated This method depends on {@link AccessControlContext}
 327      *       which, in conjunction with
 328      *       {@linkplain SecurityManager the Security Manager}, is deprecated
 329      *       and subject to removal in a future release. However,
 330      *       obtaining a Subject is useful independent of the Security Manager.
 331      *       Thus, a replacement API named {@link #current()} has been added
 332      *       which can be used to obtain the current subject.
 333      */
 334     @SuppressWarnings("removal")
 335     @Deprecated(since="17", forRemoval=true)
 336     public static Subject getSubject(final AccessControlContext acc) {
 337 
 338         java.lang.SecurityManager sm = System.getSecurityManager();
 339         if (sm != null) {
 340             sm.checkPermission(AuthPermissionHolder.GET_SUBJECT_PERMISSION);
 341         }
 342 
 343         Objects.requireNonNull(acc, ResourcesMgr.getString
 344                 ("invalid.null.AccessControlContext.provided"));
 345 
 346         if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
 347             throw new UnsupportedOperationException(
 348                     "getSubject is supported only if a security manager is allowed");
 349         } else {
 350             // return the Subject from the DomainCombiner of the provided context
 351             return AccessController.doPrivileged
 352                     (new java.security.PrivilegedAction<>() {
 353                         public Subject run() {
 354                             DomainCombiner dc = acc.getDomainCombiner();
 355                             if (!(dc instanceof SubjectDomainCombiner)) {
 356                                 return null;
 357                             }
 358                             SubjectDomainCombiner sdc = (SubjectDomainCombiner) dc;
 359                             return sdc.getSubject();
 360                         }
 361                     });
 362         }
 363     }
 364 
 365     private static final ScopedValue<Subject> SCOPED_SUBJECT =
 366             ScopedValue.newInstance();
 367 
 368     /**
 369      * Returns the current subject.
 370      *
 371      * <p> The current subject is installed by the {@link #callAs} method.
 372      * When {@code callAs(subject, action)} is called, {@code action} is
 373      * executed with {@code subject} as its current subject which can be
 374      * retrieved by this method. After {@code action} is finished, the current
 375      * subject is reset to its previous value. The current
 376      * subject is {@code null} before the first call of {@code callAs()}.
 377      *
 378      * <p> If a security manager is <a href=#sm-allowed>allowed</a>, this
 379      * method is equivalent to calling {@link #getSubject} with the current
 380      * {@code AccessControlContext}.
 381      *
 382      * <p> If a security manager is not allowed, this method returns the
 383      * {@code Subject} bound to the period of the execution of the current
 384      * thread.
 385      *
 386      * @return the current subject, or {@code null} if a current subject is
 387      *      not installed or the current subject is set to {@code null}.
 388      * @see #callAs(Subject, Callable)
 389      * @since 18
 390      */
 391     @SuppressWarnings("removal")
 392     public static Subject current() {
 393         if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
 394             return SCOPED_SUBJECT.orElse(null);
 395         } else {
 396             return getSubject(AccessController.getContext());
 397         }
 398     }
 399 
 400     /**
 401      * Executes a {@code Callable} with {@code subject} as the
 402      * current subject.
 403      *
 404      * <p> If a security manager is <a href=#sm-allowed>allowed</a>,
 405      * this method first retrieves the current Thread's
 406      * {@code AccessControlContext} via
 407      * {@code AccessController.getContext},
 408      * and then instantiates a new {@code AccessControlContext}
 409      * using the retrieved context along with a new
 410      * {@code SubjectDomainCombiner} (constructed using
 411      * the provided {@code Subject}).
 412      * Finally, this method invokes {@code AccessController.doPrivileged},
 413      * passing it the provided {@code PrivilegedAction},
 414      * as well as the newly constructed {@code AccessControlContext}.
 415      *
 416      * <p> If a security manager is not allowed,
 417      * this method launches {@code action} and binds {@code subject} to the
 418      * period of its execution.
 419      *
 420      * @param subject the {@code Subject} that the specified {@code action}
 421      *               will run as.  This parameter may be {@code null}.
 422      * @param action the code to be run with {@code subject} as its current
 423      *               subject. Must not be {@code null}.
 424      * @param <T> the type of value returned by the {@code call} method
 425      *            of {@code action}
 426      * @return the value returned by the {@code call} method of {@code action}
 427      * @throws NullPointerException if {@code action} is {@code null}
 428      * @throws CompletionException if {@code action.call()} throws an exception.
 429      *      The cause of the {@code CompletionException} is set to the exception
 430      *      thrown by {@code action.call()}.
 431      * @see #current()
 432      * @since 18
 433      */
 434     public static <T> T callAs(final Subject subject,
 435             final Callable<T> action) throws CompletionException {
 436         Objects.requireNonNull(action);
 437         if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
 438             try {
 439                 return ScopedValue.where(SCOPED_SUBJECT, subject).call(action::call);
 440             } catch (Exception e) {
 441                 throw new CompletionException(e);
 442             }
 443         } else {
 444             try {
 445                 PrivilegedExceptionAction<T> pa = () -> action.call();
 446                 @SuppressWarnings("removal")
 447                 var result = doAs(subject, pa);
 448                 return result;
 449             } catch (PrivilegedActionException e) {
 450                 throw new CompletionException(e.getCause());
 451             } catch (Exception e) {
 452                 throw new CompletionException(e);
 453             }
 454         }
 455     }
 456 
 457     /**
 458      * Perform work as a particular {@code Subject}.
 459      *
 460      * <p> If a security manager is <a href=#sm-allowed>allowed</a>,
 461      * this method first retrieves the current Thread's
 462      * {@code AccessControlContext} via
 463      * {@code AccessController.getContext},
 464      * and then instantiates a new {@code AccessControlContext}
 465      * using the retrieved context along with a new
 466      * {@code SubjectDomainCombiner} (constructed using
 467      * the provided {@code Subject}).
 468      * Finally, this method invokes {@code AccessController.doPrivileged},
 469      * passing it the provided {@code PrivilegedAction},
 470      * as well as the newly constructed {@code AccessControlContext}.
 471      *
 472      * <p> If a security manager is not allowed,
 473      * this method launches {@code action} and binds {@code subject} to the
 474      * period of its execution.
 475      *
 476      * @param subject the {@code Subject} that the specified
 477      *                  {@code action} will run as.  This parameter
 478      *                  may be {@code null}.
 479      *
 480      * @param <T> the type of the value returned by the PrivilegedAction's
 481      *                  {@code run} method.
 482      *
 483      * @param action the code to be run as the specified
 484      *                  {@code Subject}.
 485      *
 486      * @return the value returned by the PrivilegedAction's
 487      *                  {@code run} method.
 488      *
 489      * @throws NullPointerException if the {@code PrivilegedAction}
 490      *                  is {@code null}.
 491      *
 492      * @throws SecurityException if a security manager is installed and the
 493      *                  caller does not have an
 494      *                  {@link AuthPermission#AuthPermission(String)
 495      *                  AuthPermission("doAs")} permission to invoke this
 496      *                  method.
 497      *
 498      * @deprecated This method depends on {@link AccessControlContext}
 499      *       which, in conjunction with
 500      *       {@linkplain SecurityManager the Security Manager}, is deprecated
 501      *       and subject to removal in a future release. However, performing
 502      *       work as a Subject is useful independent of the Security Manager.
 503      *       Thus, a replacement API named {@link #callAs} has been added
 504      *       which can be used to perform the same work.
 505      */
 506     @SuppressWarnings("removal")
 507     @Deprecated(since="18", forRemoval=true)
 508     public static <T> T doAs(final Subject subject,
 509                         final java.security.PrivilegedAction<T> action) {
 510 
 511         java.lang.SecurityManager sm = System.getSecurityManager();
 512         if (sm != null) {
 513             sm.checkPermission(AuthPermissionHolder.DO_AS_PERMISSION);
 514         }
 515 
 516         Objects.requireNonNull(action,
 517                 ResourcesMgr.getString("invalid.null.action.provided"));
 518 
 519         if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
 520             try {
 521                 return callAs(subject, action::run);
 522             } catch (CompletionException ce) {
 523                 var cause = ce.getCause();
 524                 if (cause instanceof RuntimeException re) {
 525                     throw re;
 526                 } else if (cause instanceof Error er) {
 527                     throw er;
 528                 } else {
 529                     throw new AssertionError(ce);
 530                 }
 531             }
 532         } else {
 533             // set up the new Subject-based AccessControlContext
 534             // for doPrivileged
 535             final AccessControlContext currentAcc = AccessController.getContext();
 536 
 537             // call doPrivileged and push this new context on the stack
 538             return java.security.AccessController.doPrivileged
 539                     (action,
 540                             createContext(subject, currentAcc));
 541         }
 542     }
 543 
 544     /**
 545      * Perform work as a particular {@code Subject}.
 546      *
 547      * <p> If a security manager is <a href=#sm-allowed>allowed</a>,
 548      * this method first retrieves the current Thread's
 549      * {@code AccessControlContext} via
 550      * {@code AccessController.getContext},
 551      * and then instantiates a new {@code AccessControlContext}
 552      * using the retrieved context along with a new
 553      * {@code SubjectDomainCombiner} (constructed using
 554      * the provided {@code Subject}).
 555      * Finally, this method invokes {@code AccessController.doPrivileged},
 556      * passing it the provided {@code PrivilegedExceptionAction},
 557      * as well as the newly constructed {@code AccessControlContext}.
 558      *
 559      * <p> If a security manager is not allowed,
 560      * this method launches {@code action} and binds {@code subject} to the
 561      * period of its execution.
 562 
 563      * @param subject the {@code Subject} that the specified
 564      *                  {@code action} will run as.  This parameter
 565      *                  may be {@code null}.
 566      *
 567      * @param <T> the type of the value returned by the
 568      *                  PrivilegedExceptionAction's {@code run} method.
 569      *
 570      * @param action the code to be run as the specified
 571      *                  {@code Subject}.
 572      *
 573      * @return the value returned by the
 574      *                  PrivilegedExceptionAction's {@code run} method.
 575      *
 576      * @throws PrivilegedActionException if the
 577      *                  {@code PrivilegedExceptionAction.run}
 578      *                  method throws a checked exception.
 579      *
 580      * @throws NullPointerException if the specified
 581      *                  {@code PrivilegedExceptionAction} is
 582      *                  {@code null}.
 583      *
 584      * @throws SecurityException if a security manager is installed and the
 585      *                  caller does not have an
 586      *                  {@link AuthPermission#AuthPermission(String)
 587      *                  AuthPermission("doAs")} permission to invoke this
 588      *                  method.
 589      *
 590      * @deprecated This method depends on {@link AccessControlContext}
 591      *       which, in conjunction with
 592      *       {@linkplain SecurityManager the Security Manager}, is deprecated
 593      *       and subject to removal in a future release. However, performing
 594      *       work as a Subject is useful independent of the Security Manager.
 595      *       Thus, a replacement API named {@link #callAs} has been added
 596      *       which can be used to perform the same work.
 597      */
 598     @SuppressWarnings("removal")
 599     @Deprecated(since="18", forRemoval=true)
 600     public static <T> T doAs(final Subject subject,
 601                         final java.security.PrivilegedExceptionAction<T> action)
 602                         throws java.security.PrivilegedActionException {
 603 
 604         java.lang.SecurityManager sm = System.getSecurityManager();
 605         if (sm != null) {
 606             sm.checkPermission(AuthPermissionHolder.DO_AS_PERMISSION);
 607         }
 608 
 609         Objects.requireNonNull(action,
 610                 ResourcesMgr.getString("invalid.null.action.provided"));
 611 
 612         if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
 613             try {
 614                 return callAs(subject, action::run);
 615             } catch (CompletionException ce) {
 616                 var cause = ce.getCause();
 617                 if (cause instanceof RuntimeException re) {
 618                     throw re;
 619                 } else if (cause instanceof Error er) {
 620                     throw er;
 621                 } else if (cause instanceof Exception e) {
 622                     throw new PrivilegedActionException(e);
 623                 } else {
 624                     throw new PrivilegedActionException(ce);
 625                 }
 626             }
 627         } else {
 628             // set up the new Subject-based AccessControlContext for doPrivileged
 629             final AccessControlContext currentAcc = AccessController.getContext();
 630 
 631             // call doPrivileged and push this new context on the stack
 632             return java.security.AccessController.doPrivileged
 633                     (action,
 634                             createContext(subject, currentAcc));
 635         }
 636     }
 637 
 638     /**
 639      * Perform privileged work as a particular {@code Subject}.
 640      *
 641      * <p> If a security manager is <a href=#sm-allowed>allowed</a>,
 642      * this method behaves exactly as {@code Subject.doAs},
 643      * except that instead of retrieving the current Thread's
 644      * {@code AccessControlContext}, it uses the provided
 645      * {@code AccessControlContext}.  If the provided
 646      * {@code AccessControlContext} is {@code null},
 647      * this method instantiates a new {@code AccessControlContext}
 648      * with an empty collection of ProtectionDomains.
 649      *
 650      * <p> If a security manager is not allowed,
 651      * this method ignores the {@code acc} argument, launches {@code action},
 652      * and binds {@code subject} to the period of its execution.
 653      *
 654      * @param subject the {@code Subject} that the specified
 655      *                  {@code action} will run as.  This parameter
 656      *                  may be {@code null}.
 657      *
 658      * @param <T> the type of the value returned by the PrivilegedAction's
 659      *                  {@code run} method.
 660      *
 661      * @param action the code to be run as the specified
 662      *                  {@code Subject}.
 663      *
 664      * @param acc the {@code AccessControlContext} to be tied to the
 665      *                  specified <i>subject</i> and <i>action</i>.
 666      *
 667      * @return the value returned by the PrivilegedAction's
 668      *                  {@code run} method.
 669      *
 670      * @throws NullPointerException if the {@code PrivilegedAction}
 671      *                  is {@code null}.
 672      *
 673      * @throws SecurityException if a security manager is installed and the
 674      *                  caller does not have a
 675      *                  {@link AuthPermission#AuthPermission(String)
 676      *                  AuthPermission("doAsPrivileged")} permission to invoke
 677      *                  this method.
 678      *
 679      * @deprecated This method is only useful in conjunction with
 680      *       {@linkplain SecurityManager the Security Manager}, which is
 681      *       deprecated and subject to removal in a future release.
 682      *       Consequently, this method is also deprecated and subject to
 683      *       removal. There is no replacement for the Security Manager or this
 684      *       method.
 685      */
 686     @SuppressWarnings("removal")
 687     @Deprecated(since="17", forRemoval=true)
 688     public static <T> T doAsPrivileged(final Subject subject,
 689                         final java.security.PrivilegedAction<T> action,
 690                         final java.security.AccessControlContext acc) {
 691 
 692         java.lang.SecurityManager sm = System.getSecurityManager();
 693         if (sm != null) {
 694             sm.checkPermission(AuthPermissionHolder.DO_AS_PRIVILEGED_PERMISSION);
 695         }
 696 
 697         Objects.requireNonNull(action,
 698                 ResourcesMgr.getString("invalid.null.action.provided"));
 699 
 700         if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
 701             try {
 702                 return callAs(subject, action::run);
 703             } catch (CompletionException ce) {
 704                 var cause = ce.getCause();
 705                 if (cause instanceof RuntimeException re) {
 706                     throw re;
 707                 } else if (cause instanceof Error er) {
 708                     throw er;
 709                 } else {
 710                     throw new AssertionError(ce);
 711                 }
 712             }
 713         } else {
 714             // set up the new Subject-based AccessControlContext
 715             // for doPrivileged
 716             final AccessControlContext callerAcc =
 717                     (acc == null ?
 718                             new AccessControlContext(NULL_PD_ARRAY) :
 719                             acc);
 720 
 721             // call doPrivileged and push this new context on the stack
 722             return java.security.AccessController.doPrivileged
 723                     (action,
 724                             createContext(subject, callerAcc));
 725         }
 726     }
 727 
 728     /**
 729      * Perform privileged work as a particular {@code Subject}.
 730      *
 731      * <p> If a security manager is <a href=#sm-allowed>allowed</a>,
 732      * this method behaves exactly as {@code Subject.doAs},
 733      * except that instead of retrieving the current Thread's
 734      * {@code AccessControlContext}, it uses the provided
 735      * {@code AccessControlContext}.  If the provided
 736      * {@code AccessControlContext} is {@code null},
 737      * this method instantiates a new {@code AccessControlContext}
 738      * with an empty collection of ProtectionDomains.
 739      *
 740      * <p> If a security manager is not allowed,
 741      * this method ignores the {@code acc} argument, launches {@code action},
 742      * and binds {@code subject} to the period of its execution.
 743      *
 744      * @param subject the {@code Subject} that the specified
 745      *                  {@code action} will run as.  This parameter
 746      *                  may be {@code null}.
 747      *
 748      * @param <T> the type of the value returned by the
 749      *                  PrivilegedExceptionAction's {@code run} method.
 750      *
 751      * @param action the code to be run as the specified
 752      *                  {@code Subject}.
 753      *
 754      * @param acc the {@code AccessControlContext} to be tied to the
 755      *                  specified <i>subject</i> and <i>action</i>.
 756      *
 757      * @return the value returned by the
 758      *                  PrivilegedExceptionAction's {@code run} method.
 759      *
 760      * @throws PrivilegedActionException if the
 761      *                  {@code PrivilegedExceptionAction.run}
 762      *                  method throws a checked exception.
 763      *
 764      * @throws NullPointerException if the specified
 765      *                  {@code PrivilegedExceptionAction} is
 766      *                  {@code null}.
 767      *
 768      * @throws SecurityException if a security manager is installed and the
 769      *                  caller does not have a
 770      *                  {@link AuthPermission#AuthPermission(String)
 771      *                  AuthPermission("doAsPrivileged")} permission to invoke
 772      *                  this method.
 773      *
 774      * @deprecated This method is only useful in conjunction with
 775      *       {@linkplain SecurityManager the Security Manager}, which is
 776      *       deprecated and subject to removal in a future release.
 777      *       Consequently, this method is also deprecated and subject to
 778      *       removal. There is no replacement for the Security Manager or this
 779      *       method.
 780      */
 781     @SuppressWarnings("removal")
 782     @Deprecated(since="17", forRemoval=true)
 783     public static <T> T doAsPrivileged(final Subject subject,
 784                         final java.security.PrivilegedExceptionAction<T> action,
 785                         final java.security.AccessControlContext acc)
 786                         throws java.security.PrivilegedActionException {
 787 
 788         java.lang.SecurityManager sm = System.getSecurityManager();
 789         if (sm != null) {
 790             sm.checkPermission(AuthPermissionHolder.DO_AS_PRIVILEGED_PERMISSION);
 791         }
 792 
 793         Objects.requireNonNull(action,
 794                 ResourcesMgr.getString("invalid.null.action.provided"));
 795 
 796         if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
 797             try {
 798                 return callAs(subject, action::run);
 799             } catch (CompletionException ce) {
 800                 var cause = ce.getCause();
 801                 if (cause instanceof RuntimeException re) {
 802                     throw re;
 803                 } else if (cause instanceof Error er) {
 804                     throw er;
 805                 } else if (cause instanceof Exception e) {
 806                     throw new PrivilegedActionException(e);
 807                 } else {
 808                     throw new PrivilegedActionException(ce);
 809                 }
 810             }
 811         } else {
 812             // set up the new Subject-based AccessControlContext for doPrivileged
 813             final AccessControlContext callerAcc =
 814                     (acc == null ?
 815                             new AccessControlContext(NULL_PD_ARRAY) :
 816                             acc);
 817 
 818             // call doPrivileged and push this new context on the stack
 819             return java.security.AccessController.doPrivileged
 820                     (action,
 821                             createContext(subject, callerAcc));
 822         }
 823     }
 824 
 825     @SuppressWarnings("removal")
 826     private static AccessControlContext createContext(final Subject subject,
 827                                         final AccessControlContext acc) {
 828 
 829 
 830         return java.security.AccessController.doPrivileged
 831             (new java.security.PrivilegedAction<>() {
 832             public AccessControlContext run() {
 833                 if (subject == null) {
 834                     return new AccessControlContext(acc, null);
 835                 } else {
 836                     return new AccessControlContext
 837                                         (acc,
 838                                         new SubjectDomainCombiner(subject));
 839             }
 840             }
 841         });
 842     }
 843 
 844     /**
 845      * Return the {@code Set} of Principals associated with this
 846      * {@code Subject}.  Each {@code Principal} represents
 847      * an identity for this {@code Subject}.
 848      *
 849      * <p> The returned {@code Set} is backed by this Subject's
 850      * internal {@code Principal} {@code Set}.  Any modification
 851      * to the returned {@code Set} affects the internal
 852      * {@code Principal} {@code Set} as well.
 853      *
 854      * <p> If a security manager is installed, the caller must have a
 855      * {@link AuthPermission#AuthPermission(String)
 856      * AuthPermission("modifyPrincipals")} permission to modify
 857      * the returned set, or a {@code SecurityException} will be thrown.
 858      *
 859      * @return  the {@code Set} of Principals associated with this
 860      *          {@code Subject}.
 861      */
 862     public Set<Principal> getPrincipals() {
 863 
 864         // always return an empty Set instead of null
 865         // so LoginModules can add to the Set if necessary
 866         return principals;
 867     }
 868 
 869     /**
 870      * Return a {@code Set} of Principals associated with this
 871      * {@code Subject} that are instances or subclasses of the specified
 872      * {@code Class}.
 873      *
 874      * <p> The returned {@code Set} is not backed by this Subject's
 875      * internal {@code Principal} {@code Set}.  A new
 876      * {@code Set} is created and returned for each method invocation.
 877      * Modifications to the returned {@code Set}
 878      * will not affect the internal {@code Principal} {@code Set}.
 879      *
 880      * @param <T> the type of the class modeled by {@code c}
 881      *
 882      * @param c the returned {@code Set} of Principals will all be
 883      *          instances of this class.
 884      *
 885      * @return a {@code Set} of Principals that are instances of the
 886      *          specified {@code Class}.
 887      *
 888      * @throws NullPointerException if the specified {@code Class}
 889      *          is {@code null}.
 890      */
 891     public <T extends Principal> Set<T> getPrincipals(Class<T> c) {
 892 
 893         Objects.requireNonNull(c,
 894                 ResourcesMgr.getString("invalid.null.Class.provided"));
 895 
 896         // always return an empty Set instead of null
 897         // so LoginModules can add to the Set if necessary
 898         return new ClassSet<>(PRINCIPAL_SET, c);
 899     }
 900 
 901     /**
 902      * Return the {@code Set} of public credentials held by this
 903      * {@code Subject}.
 904      *
 905      * <p> The returned {@code Set} is backed by this Subject's
 906      * internal public Credential {@code Set}.  Any modification
 907      * to the returned {@code Set} affects the internal public
 908      * Credential {@code Set} as well.
 909      *
 910      * <p> If a security manager is installed, the caller must have a
 911      * {@link AuthPermission#AuthPermission(String)
 912      * AuthPermission("modifyPublicCredentials")} permission to modify
 913      * the returned set, or a {@code SecurityException} will be thrown.
 914      *
 915      * @return  a {@code Set} of public credentials held by this
 916      *          {@code Subject}.
 917      */
 918     public Set<Object> getPublicCredentials() {
 919 
 920         // always return an empty Set instead of null
 921         // so LoginModules can add to the Set if necessary
 922         return pubCredentials;
 923     }
 924 
 925     /**
 926      * Return the {@code Set} of private credentials held by this
 927      * {@code Subject}.
 928      *
 929      * <p> The returned {@code Set} is backed by this Subject's
 930      * internal private Credential {@code Set}.  Any modification
 931      * to the returned {@code Set} affects the internal private
 932      * Credential {@code Set} as well.
 933      *
 934      * <p> If a security manager is installed, the caller must have a
 935      * {@link AuthPermission#AuthPermission(String)
 936      * AuthPermission("modifyPrivateCredentials")} permission to modify
 937      * the returned set, or a {@code SecurityException} will be thrown.
 938      *
 939      * <p> While iterating through the {@code Set},
 940      * a {@code SecurityException} is thrown if a security manager is installed
 941      * and the caller does not have a {@link PrivateCredentialPermission}
 942      * to access a particular Credential.  The {@code Iterator}
 943      * is nevertheless advanced to the next element in the {@code Set}.
 944      *
 945      * @return  a {@code Set} of private credentials held by this
 946      *          {@code Subject}.
 947      */
 948     public Set<Object> getPrivateCredentials() {
 949 
 950         // XXX
 951         // we do not need a security check for
 952         // AuthPermission(getPrivateCredentials)
 953         // because we already restrict access to private credentials
 954         // via the PrivateCredentialPermission.  all the extra AuthPermission
 955         // would do is protect the set operations themselves
 956         // (like size()), which don't seem security-sensitive.
 957 
 958         // always return an empty Set instead of null
 959         // so LoginModules can add to the Set if necessary
 960         return privCredentials;
 961     }
 962 
 963     /**
 964      * Return a {@code Set} of public credentials associated with this
 965      * {@code Subject} that are instances or subclasses of the specified
 966      * {@code Class}.
 967      *
 968      * <p> The returned {@code Set} is not backed by this Subject's
 969      * internal public Credential {@code Set}.  A new
 970      * {@code Set} is created and returned for each method invocation.
 971      * Modifications to the returned {@code Set}
 972      * will not affect the internal public Credential {@code Set}.
 973      *
 974      * @param <T> the type of the class modeled by {@code c}
 975      *
 976      * @param c the returned {@code Set} of public credentials will all be
 977      *          instances of this class.
 978      *
 979      * @return a {@code Set} of public credentials that are instances
 980      *          of the  specified {@code Class}.
 981      *
 982      * @throws NullPointerException if the specified {@code Class}
 983      *          is {@code null}.
 984      */
 985     public <T> Set<T> getPublicCredentials(Class<T> c) {
 986 
 987         Objects.requireNonNull(c,
 988                 ResourcesMgr.getString("invalid.null.Class.provided"));
 989 
 990         // always return an empty Set instead of null
 991         // so LoginModules can add to the Set if necessary
 992         return new ClassSet<>(PUB_CREDENTIAL_SET, c);
 993     }
 994 
 995     /**
 996      * Return a {@code Set} of private credentials associated with this
 997      * {@code Subject} that are instances or subclasses of the specified
 998      * {@code Class}.
 999      *
1000      * <p> If a security manager is installed, the caller must have a
1001      * {@link PrivateCredentialPermission} to access all of the requested
1002      * Credentials, or a {@code SecurityException} will be thrown.
1003      *
1004      * <p> The returned {@code Set} is not backed by this Subject's
1005      * internal private Credential {@code Set}.  A new
1006      * {@code Set} is created and returned for each method invocation.
1007      * Modifications to the returned {@code Set}
1008      * will not affect the internal private Credential {@code Set}.
1009      *
1010      * @param <T> the type of the class modeled by {@code c}
1011      *
1012      * @param c the returned {@code Set} of private credentials will all be
1013      *          instances of this class.
1014      *
1015      * @return a {@code Set} of private credentials that are instances
1016      *          of the  specified {@code Class}.
1017      *
1018      * @throws NullPointerException if the specified {@code Class}
1019      *          is {@code null}.
1020      */
1021     public <T> Set<T> getPrivateCredentials(Class<T> c) {
1022 
1023         // XXX
1024         // we do not need a security check for
1025         // AuthPermission(getPrivateCredentials)
1026         // because we already restrict access to private credentials
1027         // via the PrivateCredentialPermission.  all the extra AuthPermission
1028         // would do is protect the set operations themselves
1029         // (like size()), which don't seem security-sensitive.
1030 
1031         Objects.requireNonNull(c,
1032                 ResourcesMgr.getString("invalid.null.Class.provided"));
1033 
1034         // always return an empty Set instead of null
1035         // so LoginModules can add to the Set if necessary
1036         return new ClassSet<>(PRIV_CREDENTIAL_SET, c);
1037     }
1038 
1039     /**
1040      * Compares the specified Object with this {@code Subject}
1041      * for equality.  Returns true if the given object is also a Subject
1042      * and the two {@code Subject} instances are equivalent.
1043      * More formally, two {@code Subject} instances are
1044      * equal if their {@code Principal} and {@code Credential}
1045      * Sets are equal.
1046      *
1047      * @param o Object to be compared for equality with this
1048      *          {@code Subject}.
1049      *
1050      * @return true if the specified Object is equal to this
1051      *          {@code Subject}.
1052      *
1053      * @throws SecurityException if a security manager is installed and the
1054      *         caller does not have a {@link PrivateCredentialPermission}
1055      *         permission to access the private credentials for this
1056      *         {@code Subject} or the provided {@code Subject}.
1057      */
1058     @Override
1059     public boolean equals(Object o) {
1060 
1061         if (this == o) {
1062             return true;
1063         }
1064 
1065         if (o instanceof final Subject that) {
1066 
1067             // check the principal and credential sets
1068             Set<Principal> thatPrincipals;
1069             synchronized(that.principals) {
1070                 // avoid deadlock from dual locks
1071                 thatPrincipals = new HashSet<>(that.principals);
1072             }
1073             if (!principals.equals(thatPrincipals)) {
1074                 return false;
1075             }
1076 
1077             Set<Object> thatPubCredentials;
1078             synchronized(that.pubCredentials) {
1079                 // avoid deadlock from dual locks
1080                 thatPubCredentials = new HashSet<>(that.pubCredentials);
1081             }
1082             if (!pubCredentials.equals(thatPubCredentials)) {
1083                 return false;
1084             }
1085 
1086             Set<Object> thatPrivCredentials;
1087             synchronized(that.privCredentials) {
1088                 // avoid deadlock from dual locks
1089                 thatPrivCredentials = new HashSet<>(that.privCredentials);
1090             }
1091             return privCredentials.equals(thatPrivCredentials);
1092         }
1093         return false;
1094     }
1095 
1096     /**
1097      * Return the String representation of this {@code Subject}.
1098      *
1099      * @return the String representation of this {@code Subject}.
1100      */
1101     @Override
1102     public String toString() {
1103         return toString(true);
1104     }
1105 
1106     /**
1107      * package private convenience method to print out the Subject
1108      * without firing off a security check when trying to access
1109      * the Private Credentials
1110      */
1111     String toString(boolean includePrivateCredentials) {
1112 
1113         String s = ResourcesMgr.getString("Subject.");
1114         String suffix = "";
1115 
1116         synchronized(principals) {
1117             for (Principal p : principals) {
1118                 suffix = suffix + ResourcesMgr.getString(".Principal.") +
1119                         p.toString() + ResourcesMgr.getString("NEWLINE");
1120             }
1121         }
1122 
1123         synchronized(pubCredentials) {
1124             for (Object o : pubCredentials) {
1125                 suffix = suffix +
1126                         ResourcesMgr.getString(".Public.Credential.") +
1127                         o.toString() + ResourcesMgr.getString("NEWLINE");
1128             }
1129         }
1130 
1131         if (includePrivateCredentials) {
1132             synchronized(privCredentials) {
1133                 Iterator<Object> pI = privCredentials.iterator();
1134                 while (pI.hasNext()) {
1135                     try {
1136                         Object o = pI.next();
1137                         suffix += ResourcesMgr.getString
1138                                         (".Private.Credential.") +
1139                                         o.toString() +
1140                                         ResourcesMgr.getString("NEWLINE");
1141                     } catch (SecurityException se) {
1142                         suffix += ResourcesMgr.getString
1143                                 (".Private.Credential.inaccessible.");
1144                         break;
1145                     }
1146                 }
1147             }
1148         }
1149         return s + suffix;
1150     }
1151 
1152     /**
1153      * {@return a hashcode for this {@code Subject}}
1154      *
1155      * @throws SecurityException if a security manager is installed and the
1156      *         caller does not have a {@link PrivateCredentialPermission}
1157      *         permission to access this Subject's private credentials.
1158      */
1159     @Override
1160     public int hashCode() {
1161 
1162         /*
1163          * The hashcode is derived exclusive or-ing the
1164          * hashcodes of this Subject's Principals and credentials.
1165          *
1166          * If a particular credential was destroyed
1167          * ({@code credential.hashCode()} throws an
1168          * {@code IllegalStateException}),
1169          * the hashcode for that credential is derived via:
1170          * {@code credential.getClass().toString().hashCode()}.
1171          */
1172 
1173         int hashCode = 0;
1174 
1175         synchronized(principals) {
1176             for (Principal p : principals) {
1177                 hashCode ^= p.hashCode();
1178             }
1179         }
1180 
1181         synchronized(pubCredentials) {
1182             for (Object pubCredential : pubCredentials) {
1183                 hashCode ^= getCredHashCode(pubCredential);
1184             }
1185         }
1186         return hashCode;
1187     }
1188 
1189     /**
1190      * get a credential's hashcode
1191      */
1192     private int getCredHashCode(Object o) {
1193         try {
1194             return o.hashCode();
1195         } catch (IllegalStateException ise) {
1196             return o.getClass().toString().hashCode();
1197         }
1198     }
1199 
1200     /**
1201      * Writes this object out to a stream (i.e., serializes it).
1202      *
1203      * @param  oos the {@code ObjectOutputStream} to which data is written
1204      * @throws IOException if an I/O error occurs
1205      */
1206     @java.io.Serial
1207     private void writeObject(java.io.ObjectOutputStream oos)
1208                 throws java.io.IOException {
1209         synchronized(principals) {
1210             oos.defaultWriteObject();
1211         }
1212     }
1213 
1214     /**
1215      * Reads this object from a stream (i.e., deserializes it)
1216      *
1217      * @param  s the {@code ObjectInputStream} from which data is read
1218      * @throws IOException if an I/O error occurs
1219      * @throws ClassNotFoundException if a serialized class cannot be loaded
1220      */
1221     @SuppressWarnings("unchecked")
1222     @java.io.Serial
1223     private void readObject(java.io.ObjectInputStream s)
1224                 throws java.io.IOException, ClassNotFoundException {
1225 
1226         ObjectInputStream.GetField gf = s.readFields();
1227 
1228         readOnly = gf.get("readOnly", false);
1229 
1230         Set<Principal> inputPrincs = (Set<Principal>)gf.get("principals", null);
1231 
1232         Objects.requireNonNull(inputPrincs,
1233                 ResourcesMgr.getString("invalid.null.input.s."));
1234 
1235         // Rewrap the principals into a SecureSet
1236         try {
1237             LinkedList<Principal> principalList = collectionNullClean(inputPrincs);
1238             principals = Collections.synchronizedSet(new SecureSet<>
1239                                 (this, PRINCIPAL_SET, principalList));
1240         } catch (NullPointerException npe) {
1241             // Sometimes people deserialize the principals set only.
1242             // Subject is not accessible, so just don't fail.
1243             principals = Collections.synchronizedSet
1244                         (new SecureSet<>(this, PRINCIPAL_SET));
1245         }
1246 
1247         // The Credential {@code Set} is not serialized, but we do not
1248         // want the default deserialization routine to set it to null.
1249         this.pubCredentials = Collections.synchronizedSet
1250                         (new SecureSet<>(this, PUB_CREDENTIAL_SET));
1251         this.privCredentials = Collections.synchronizedSet
1252                         (new SecureSet<>(this, PRIV_CREDENTIAL_SET));
1253     }
1254 
1255     /**
1256      * Tests for null-clean collections (both non-null reference and
1257      * no null elements)
1258      *
1259      * @param coll A {@code Collection} to be tested for null references
1260      *
1261      * @throws NullPointerException if the specified collection is either
1262      *            {@code null} or contains a {@code null} element
1263      */
1264     private static <E> LinkedList<E> collectionNullClean(
1265             Collection<? extends E> coll) {
1266 
1267         Objects.requireNonNull(coll,
1268                 ResourcesMgr.getString("invalid.null.input.s."));
1269 
1270         LinkedList<E> output = new LinkedList<>();
1271         for (E e : coll) {
1272             output.add(Objects.requireNonNull(e,
1273                     ResourcesMgr.getString("invalid.null.input.s.")));
1274         }
1275         return output;
1276     }
1277 
1278     /**
1279      * Prevent modifications unless caller has permission.
1280      *
1281      * @serial include
1282      */
1283     private static class SecureSet<E>
1284         implements Set<E>, java.io.Serializable {
1285 
1286         @java.io.Serial
1287         private static final long serialVersionUID = 7911754171111800359L;
1288 
1289         /**
1290          * @serialField this$0 Subject The outer Subject instance.
1291          * @serialField elements LinkedList The elements in this set.
1292          */
1293         @java.io.Serial
1294         private static final ObjectStreamField[] serialPersistentFields = {
1295             new ObjectStreamField("this$0", Subject.class),
1296             new ObjectStreamField("elements", LinkedList.class),
1297             new ObjectStreamField("which", int.class)
1298         };
1299 
1300         Subject subject;
1301         LinkedList<E> elements;
1302 
1303         /**
1304          * @serial An integer identifying the type of objects contained
1305          *      in this set.  If {@code which == 1},
1306          *      this is a Principal set and all the elements are
1307          *      of type {@code java.security.Principal}.
1308          *      If {@code which == 2}, this is a public credential
1309          *      set and all the elements are of type {@code Object}.
1310          *      If {@code which == 3}, this is a private credential
1311          *      set and all the elements are of type {@code Object}.
1312          */
1313         private int which;
1314 
1315         SecureSet(Subject subject, int which) {
1316             this.subject = subject;
1317             this.which = which;
1318             this.elements = new LinkedList<>();
1319         }
1320 
1321         SecureSet(Subject subject, int which, LinkedList<E> list) {
1322             this.subject = subject;
1323             this.which = which;
1324             this.elements = list;
1325         }
1326 
1327         public int size() {
1328             return elements.size();
1329         }
1330 
1331         public Iterator<E> iterator() {
1332             final LinkedList<E> list = elements;
1333             return new Iterator<>() {
1334                 final ListIterator<E> i = list.listIterator(0);
1335 
1336                 public boolean hasNext() {
1337                     return i.hasNext();
1338                 }
1339 
1340                 public E next() {
1341                     if (which != Subject.PRIV_CREDENTIAL_SET) {
1342                         return i.next();
1343                     }
1344 
1345                     @SuppressWarnings("removal")
1346                     SecurityManager sm = System.getSecurityManager();
1347                     if (sm != null) {
1348                         try {
1349                             sm.checkPermission(new PrivateCredentialPermission
1350                                 (list.get(i.nextIndex()).getClass().getName(),
1351                                 subject.getPrincipals()));
1352                         } catch (SecurityException se) {
1353                             i.next();
1354                             throw (se);
1355                         }
1356                     }
1357                     return i.next();
1358                 }
1359 
1360                 public void remove() {
1361 
1362                     if (subject.isReadOnly()) {
1363                         throw new IllegalStateException(ResourcesMgr.getString
1364                                 ("Subject.is.read.only"));
1365                     }
1366 
1367                     @SuppressWarnings("removal")
1368                     java.lang.SecurityManager sm = System.getSecurityManager();
1369                     if (sm != null) {
1370                         switch (which) {
1371                         case Subject.PRINCIPAL_SET:
1372                             sm.checkPermission(AuthPermissionHolder.MODIFY_PRINCIPALS_PERMISSION);
1373                             break;
1374                         case Subject.PUB_CREDENTIAL_SET:
1375                             sm.checkPermission(AuthPermissionHolder.MODIFY_PUBLIC_CREDENTIALS_PERMISSION);
1376                             break;
1377                         default:
1378                             sm.checkPermission(AuthPermissionHolder.MODIFY_PRIVATE_CREDENTIALS_PERMISSION);
1379                             break;
1380                         }
1381                     }
1382                     i.remove();
1383                 }
1384             };
1385         }
1386 
1387         public boolean add(E o) {
1388 
1389             Objects.requireNonNull(o,
1390                     ResourcesMgr.getString("invalid.null.input.s."));
1391 
1392             if (subject.isReadOnly()) {
1393                 throw new IllegalStateException
1394                         (ResourcesMgr.getString("Subject.is.read.only"));
1395             }
1396 
1397             @SuppressWarnings("removal")
1398             java.lang.SecurityManager sm = System.getSecurityManager();
1399             if (sm != null) {
1400                 switch (which) {
1401                 case Subject.PRINCIPAL_SET:
1402                     sm.checkPermission(AuthPermissionHolder.MODIFY_PRINCIPALS_PERMISSION);
1403                     break;
1404                 case Subject.PUB_CREDENTIAL_SET:
1405                     sm.checkPermission(AuthPermissionHolder.MODIFY_PUBLIC_CREDENTIALS_PERMISSION);
1406                     break;
1407                 default:
1408                     sm.checkPermission(AuthPermissionHolder.MODIFY_PRIVATE_CREDENTIALS_PERMISSION);
1409                     break;
1410                 }
1411             }
1412 
1413             switch (which) {
1414             case Subject.PRINCIPAL_SET:
1415                 if (!(o instanceof Principal)) {
1416                     throw new SecurityException(ResourcesMgr.getString
1417                         ("attempting.to.add.an.object.which.is.not.an.instance.of.java.security.Principal.to.a.Subject.s.Principal.Set"));
1418                 }
1419                 break;
1420             default:
1421                 // ok to add Objects of any kind to credential sets
1422                 break;
1423             }
1424 
1425             // check for duplicates
1426             if (!elements.contains(o))
1427                 return elements.add(o);
1428             else {
1429                 return false;
1430         }
1431         }
1432 
1433         @SuppressWarnings("removal")
1434         public boolean remove(Object o) {
1435 
1436             Objects.requireNonNull(o,
1437                     ResourcesMgr.getString("invalid.null.input.s."));
1438 
1439             final Iterator<E> e = iterator();
1440             while (e.hasNext()) {
1441                 E next;
1442                 if (which != Subject.PRIV_CREDENTIAL_SET) {
1443                     next = e.next();
1444                 } else {
1445                     next = java.security.AccessController.doPrivileged
1446                         (new java.security.PrivilegedAction<E>() {
1447                         public E run() {
1448                             return e.next();
1449                         }
1450                     });
1451                 }
1452 
1453                 if (next.equals(o)) {
1454                     e.remove();
1455                     return true;
1456                 }
1457             }
1458             return false;
1459         }
1460 
1461         @SuppressWarnings("removal")
1462         public boolean contains(Object o) {
1463 
1464             Objects.requireNonNull(o,
1465                     ResourcesMgr.getString("invalid.null.input.s."));
1466 
1467             final Iterator<E> e = iterator();
1468             while (e.hasNext()) {
1469                 E next;
1470                 if (which != Subject.PRIV_CREDENTIAL_SET) {
1471                     next = e.next();
1472                 } else {
1473 
1474                     // For private credentials:
1475                     // If the caller does not have read permission
1476                     // for o.getClass(), we throw a SecurityException.
1477                     // Otherwise, we check the private cred set to see whether
1478                     // it contains the Object
1479 
1480                     SecurityManager sm = System.getSecurityManager();
1481                     if (sm != null) {
1482                         sm.checkPermission(new PrivateCredentialPermission
1483                                                 (o.getClass().getName(),
1484                                                 subject.getPrincipals()));
1485                     }
1486                     next = java.security.AccessController.doPrivileged
1487                         (new java.security.PrivilegedAction<E>() {
1488                         public E run() {
1489                             return e.next();
1490                         }
1491                     });
1492                 }
1493 
1494                 if (next.equals(o)) {
1495                     return true;
1496                 }
1497             }
1498             return false;
1499         }
1500 
1501         public boolean addAll(Collection<? extends E> c) {
1502             boolean result = false;
1503 
1504             c = collectionNullClean(c);
1505 
1506             for (E item : c) {
1507                 result |= this.add(item);
1508             }
1509 
1510             return result;
1511         }
1512 
1513         @SuppressWarnings("removal")
1514         public boolean removeAll(Collection<?> c) {
1515             c = collectionNullClean(c);
1516 
1517             boolean modified = false;
1518             final Iterator<E> e = iterator();
1519             while (e.hasNext()) {
1520                 E next;
1521                 if (which != Subject.PRIV_CREDENTIAL_SET) {
1522                     next = e.next();
1523                 } else {
1524                     next = java.security.AccessController.doPrivileged
1525                         (new java.security.PrivilegedAction<E>() {
1526                         public E run() {
1527                             return e.next();
1528                         }
1529                     });
1530                 }
1531 
1532                 for (Object o : c) {
1533                     if (next.equals(o)) {
1534                         e.remove();
1535                         modified = true;
1536                         break;
1537                     }
1538                 }
1539             }
1540             return modified;
1541         }
1542 
1543         public boolean containsAll(Collection<?> c) {
1544             c = collectionNullClean(c);
1545 
1546             for (Object item : c) {
1547                 if (!this.contains(item)) {
1548                     return false;
1549                 }
1550             }
1551 
1552             return true;
1553         }
1554 
1555         @SuppressWarnings("removal")
1556         public boolean retainAll(Collection<?> c) {
1557             c = collectionNullClean(c);
1558 
1559             boolean modified = false;
1560             final Iterator<E> e = iterator();
1561             while (e.hasNext()) {
1562                 E next;
1563                 if (which != Subject.PRIV_CREDENTIAL_SET) {
1564                     next = e.next();
1565                 } else {
1566                     next = java.security.AccessController.doPrivileged
1567                         (new java.security.PrivilegedAction<E>() {
1568                         public E run() {
1569                             return e.next();
1570                         }
1571                     });
1572                 }
1573 
1574                 if (c.contains(next) == false) {
1575                     e.remove();
1576                     modified = true;
1577                 }
1578             }
1579 
1580             return modified;
1581         }
1582 
1583         @SuppressWarnings("removal")
1584         public void clear() {
1585             final Iterator<E> e = iterator();
1586             while (e.hasNext()) {
1587                 E next;
1588                 if (which != Subject.PRIV_CREDENTIAL_SET) {
1589                     next = e.next();
1590                 } else {
1591                     next = java.security.AccessController.doPrivileged
1592                         (new java.security.PrivilegedAction<E>() {
1593                         public E run() {
1594                             return e.next();
1595                         }
1596                     });
1597                 }
1598                 e.remove();
1599             }
1600         }
1601 
1602         public boolean isEmpty() {
1603             return elements.isEmpty();
1604         }
1605 
1606         public Object[] toArray() {
1607             final Iterator<E> e = iterator();
1608             while (e.hasNext()) {
1609                 // The next() method performs a security manager check
1610                 // on each element in the SecureSet.  If we make it all
1611                 // the way through we should be able to simply return
1612                 // element's toArray results.  Otherwise, we'll let
1613                 // the SecurityException pass up the call stack.
1614                 e.next();
1615             }
1616 
1617             return elements.toArray();
1618         }
1619 
1620         public <T> T[] toArray(T[] a) {
1621             final Iterator<E> e = iterator();
1622             while (e.hasNext()) {
1623                 // The next() method performs a security manager check
1624                 // on each element in the SecureSet.  If we make it all
1625                 // the way through we should be able to simply return
1626                 // element's toArray results.  Otherwise, we'll let
1627                 // the SecurityException pass up the call stack.
1628                 e.next();
1629             }
1630 
1631             return elements.toArray(a);
1632         }
1633 
1634         @Override
1635         public boolean equals(Object o) {
1636             if (o == this) {
1637                 return true;
1638             }
1639 
1640             if (!(o instanceof Set)) {
1641                 return false;
1642             }
1643 
1644             Collection<?> c = (Collection<?>) o;
1645             if (c.size() != size()) {
1646                 return false;
1647             }
1648 
1649             try {
1650                 return containsAll(c);
1651             } catch (ClassCastException | NullPointerException unused) {
1652                 return false;
1653             }
1654         }
1655 
1656         @Override
1657         public int hashCode() {
1658             int h = 0;
1659             for (E obj : this) {
1660                 h += Objects.hashCode(obj);
1661             }
1662             return h;
1663         }
1664 
1665         /**
1666          * Writes this object out to a stream (i.e., serializes it).
1667          *
1668          * @serialData If this is a private credential set,
1669          *      a security check is performed to ensure that
1670          *      the caller has permission to access each credential
1671          *      in the set.  If the security check passes,
1672          *      the set is serialized.
1673          *
1674          * @param  oos the {@code ObjectOutputStream} to which data is written
1675          * @throws IOException if an I/O error occurs
1676          */
1677         @java.io.Serial
1678         private void writeObject(java.io.ObjectOutputStream oos)
1679                 throws java.io.IOException {
1680 
1681             if (which == Subject.PRIV_CREDENTIAL_SET) {
1682                 // check permissions before serializing
1683                 Iterator<E> i = iterator();
1684                 while (i.hasNext()) {
1685                     i.next();
1686                 }
1687             }
1688             ObjectOutputStream.PutField fields = oos.putFields();
1689             fields.put("this$0", subject);
1690             fields.put("elements", elements);
1691             fields.put("which", which);
1692             oos.writeFields();
1693         }
1694 
1695         /**
1696          * Restores the state of this object from the stream.
1697          *
1698          * @param  ois the {@code ObjectInputStream} from which data is read
1699          * @throws IOException if an I/O error occurs
1700          * @throws ClassNotFoundException if a serialized class cannot be loaded
1701          */
1702         @SuppressWarnings("unchecked")
1703         @java.io.Serial
1704         private void readObject(ObjectInputStream ois)
1705             throws IOException, ClassNotFoundException
1706         {
1707             ObjectInputStream.GetField fields = ois.readFields();
1708             subject = (Subject) fields.get("this$0", null);
1709             which = fields.get("which", 0);
1710 
1711             LinkedList<E> tmp = (LinkedList<E>) fields.get("elements", null);
1712 
1713             elements = Subject.collectionNullClean(tmp);
1714         }
1715 
1716     }
1717 
1718     /**
1719      * This class implements a {@code Set} which returns only
1720      * members that are an instance of a specified Class.
1721      */
1722     private class ClassSet<T> extends AbstractSet<T> {
1723 
1724         private final int which;
1725         private final Class<T> c;
1726         private final Set<T> set;
1727 
1728         ClassSet(int which, Class<T> c) {
1729             this.which = which;
1730             this.c = c;
1731             set = new HashSet<>();
1732 
1733             switch (which) {
1734             case Subject.PRINCIPAL_SET:
1735                 synchronized(principals) { populateSet(); }
1736                 break;
1737             case Subject.PUB_CREDENTIAL_SET:
1738                 synchronized(pubCredentials) { populateSet(); }
1739                 break;
1740             default:
1741                 synchronized(privCredentials) { populateSet(); }
1742                 break;
1743             }
1744         }
1745 
1746         @SuppressWarnings({"removal","unchecked"})     /*To suppress warning from line 1374*/
1747         private void populateSet() {
1748             final Iterator<?> iterator;
1749             switch(which) {
1750             case Subject.PRINCIPAL_SET:
1751                 iterator = Subject.this.principals.iterator();
1752                 break;
1753             case Subject.PUB_CREDENTIAL_SET:
1754                 iterator = Subject.this.pubCredentials.iterator();
1755                 break;
1756             default:
1757                 iterator = Subject.this.privCredentials.iterator();
1758                 break;
1759             }
1760 
1761             // Check whether the caller has permission to get
1762             // credentials of Class c
1763 
1764             while (iterator.hasNext()) {
1765                 Object next;
1766                 if (which == Subject.PRIV_CREDENTIAL_SET) {
1767                     next = java.security.AccessController.doPrivileged
1768                         (new java.security.PrivilegedAction<>() {
1769                         public Object run() {
1770                             return iterator.next();
1771                         }
1772                     });
1773                 } else {
1774                     next = iterator.next();
1775                 }
1776                 if (c.isAssignableFrom(next.getClass())) {
1777                     if (which != Subject.PRIV_CREDENTIAL_SET) {
1778                         set.add((T)next);
1779                     } else {
1780                         // Check permission for private creds
1781                         SecurityManager sm = System.getSecurityManager();
1782                         if (sm != null) {
1783                             sm.checkPermission(new PrivateCredentialPermission
1784                                                 (next.getClass().getName(),
1785                                                 Subject.this.getPrincipals()));
1786                         }
1787                         set.add((T)next);
1788                     }
1789                 }
1790             }
1791         }
1792 
1793         @Override
1794         public int size() {
1795             return set.size();
1796         }
1797 
1798         @Override
1799         public Iterator<T> iterator() {
1800             return set.iterator();
1801         }
1802 
1803         @Override
1804         public boolean add(T o) {
1805 
1806             if (!c.isAssignableFrom(o.getClass())) {
1807                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
1808                         ("attempting.to.add.an.object.which.is.not.an.instance.of.class"));
1809                 Object[] source = {c.toString()};
1810                 throw new SecurityException(form.format(source));
1811             }
1812 
1813             return set.add(o);
1814         }
1815     }
1816 
1817     static final class AuthPermissionHolder {
1818         static final AuthPermission DO_AS_PERMISSION =
1819             new AuthPermission("doAs");
1820 
1821         static final AuthPermission DO_AS_PRIVILEGED_PERMISSION =
1822             new AuthPermission("doAsPrivileged");
1823 
1824         static final AuthPermission SET_READ_ONLY_PERMISSION =
1825             new AuthPermission("setReadOnly");
1826 
1827         static final AuthPermission GET_SUBJECT_PERMISSION =
1828             new AuthPermission("getSubject");
1829 
1830         static final AuthPermission MODIFY_PRINCIPALS_PERMISSION =
1831             new AuthPermission("modifyPrincipals");
1832 
1833         static final AuthPermission MODIFY_PUBLIC_CREDENTIALS_PERMISSION =
1834             new AuthPermission("modifyPublicCredentials");
1835 
1836         static final AuthPermission MODIFY_PRIVATE_CREDENTIALS_PERMISSION =
1837             new AuthPermission("modifyPrivateCredentials");
1838     }
1839 }