add privileged block in logout

[sameer-pandit]

Fixes #22243

    private void resetPolicyContext() {
       ((PolicyContextHandlerImpl)PolicyContextHandlerImpl.getInstance()).reset();
       PolicyContext.setContextID(null);
    }

The issue stacktrace catches permission issue PolicyContextHandlerImpl.getInstance(), but PolicyContext.setContextID() also need setPolicy permissions as per javadoc
which why the doPrivileged for whole resetPolicyContext().

[sameer-pandit]

@glassfishrobot Run CI tests please

[glassfishrobot]

Starting CI tests run

[wmhopkins]

@sameer-pandit ,

This fix looks good, but I wonder if the privileged block can be moved down into the resetPolicyContext() method? If that method is private and used only by other RealmAdapter methods, that's a better implementation. If the method is public and potentially called by external callers, then the current placement is better/safer. (Not at my desk, so can't look for myself.)

[glassfishrobot]

All CI tests successful

[wmhopkins]

@sameer-pandit,

I had a closer look at the code when I got back to my desk, and I think it would be better to put the PrivilegedAction inside the resetPolicyContext() method. That method is private, so it can only be called by other methods of the RealmAdapter class. Putting it inside resetPolicyContext() would benefit all callers; the current approach means each caller has to have its own PrivilegedAction block if it calls resetPolicyContext().

That said, logout() is currently the only caller, so there's no practical difference at the moment, and we need to get this submitted asap. Approved the PR.