diff --git a/ChangeLog.md b/ChangeLog.md index 6de716416c..c9c0da4e7f 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -17,6 +17,19 @@ specific language governing permissions and limitations under the License. --> + +**2025-10-11 Juan Pablo Santos (abernal AT apache DOT org)** + +* _3.0.0-git-03_ + + * Security / API cleanup + * Remove the Security Manager–dependent Session#doPrivileged from jspwiki-api. + * Replace the only usage with Subject.doAsPrivileged in DefaultAuthorizationManager; behavior unchanged. + * Keep policy checks: global via AccessController, local via LocalPolicy. + * Rationale: Security Manager is deprecated/disabled on modern JDKs; simplify 3.0 before release. + * Migration: use Subject.doAs( session.getSubject(), action ) (or Subject.doAsPrivileged) in custom code. + + **2025-09-30 Juan Pablo Santos (juanpablo AT apache DOT org)** * _3.0.0-git-02_ diff --git a/jspwiki-api/src/main/java/org/apache/wiki/api/Release.java b/jspwiki-api/src/main/java/org/apache/wiki/api/Release.java index aae8500613..49f26499d0 100644 --- a/jspwiki-api/src/main/java/org/apache/wiki/api/Release.java +++ b/jspwiki-api/src/main/java/org/apache/wiki/api/Release.java @@ -69,7 +69,7 @@ public final class Release { *

* If the build identifier is empty, it is not added. */ - public static final String BUILD = "02"; + public static final String BUILD = "03"; /** * This is the generic version string you should use when printing out the version. It is of diff --git a/jspwiki-api/src/main/java/org/apache/wiki/api/core/Session.java b/jspwiki-api/src/main/java/org/apache/wiki/api/core/Session.java index 1a8eae6d59..7a8004a093 100644 --- a/jspwiki-api/src/main/java/org/apache/wiki/api/core/Session.java +++ b/jspwiki-api/src/main/java/org/apache/wiki/api/core/Session.java @@ -237,18 +237,4 @@ public interface Session extends WikiEventListener { */ Subject getSubject(); - /** - * Wrapper for {@link Subject#doAsPrivileged(Subject, PrivilegedAction, java.security.AccessControlContext)} - * that executes an action with the privileges possessed by a Session's Subject. The action executes with a null - * AccessControlContext, which has the effect of running it "cleanly" without the AccessControlContexts of the caller. - * - * @param session the wiki session - * @param action the privileged action - * @return the result of the privileged action; may be null - * @throws java.security.AccessControlException if the action is not permitted by the security policy - */ - static Object doPrivileged( final Session session, final PrivilegedAction action ) throws AccessControlException { - return Subject.doAsPrivileged( session.getSubject(), action, null ); - } - } diff --git a/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultAuthorizationManager.java b/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultAuthorizationManager.java index 8fe4e84075..aa7e5ddf37 100644 --- a/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultAuthorizationManager.java +++ b/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultAuthorizationManager.java @@ -47,6 +47,7 @@ Licensed to the Apache Software Foundation (ASF) under one import org.freshcookies.security.policy.LocalPolicy; import jakarta.servlet.http.HttpServletResponse; +import javax.security.auth.Subject; import java.io.File; import java.io.IOException; import java.net.URL; @@ -310,7 +311,7 @@ public boolean allowedByLocalPolicy( final Principal[] principals, final Permiss /** {@inheritDoc} */ @Override public boolean checkStaticPermission( final Session session, final Permission permission ) { - return ( Boolean )Session.doPrivileged( session, ( PrivilegedAction< Boolean > )() -> { + return ( Boolean )Subject.doAsPrivileged( session.getSubject(), ( PrivilegedAction< Boolean > )() -> { try { // Check the JVM-wide security policy first AccessController.checkPermission( permission ); @@ -324,7 +325,7 @@ public boolean checkStaticPermission( final Session session, final Permission pe return Boolean.TRUE; } return Boolean.FALSE; - } ); + }, null ); } /** {@inheritDoc} */