Bug 37672462 - [37669753->25.03] DefaultController and AuditingAuthor…

…izer classes do not properly print Subject principal names

(merge main -> ce/main 114781)

[git-p4: depot-paths = "//dev/coherence-ce/main/": change = 114782]

prj/coherence-core/src/main/java/com/tangosol/net/security/AuditingAuthorizer.java

@@ -1,8 +1,8 @@
 /*
- * Copyright (c) 2000, 2020, Oracle and/or its affiliates.
+ * Copyright (c) 2000, 2025, Oracle and/or its affiliates.
  *
  * Licensed under the Universal Permissive License v 1.0 as shown at
- * http://oss.oracle.com/licenses/upl.
+ * https://oss.oracle.com/licenses/upl.
  */
 package com.tangosol.net.security;
 
@@ -13,13 +13,17 @@
 import com.tangosol.util.BinaryEntry;
 
 import javax.security.auth.Subject;
+import java.security.Principal;
+
+import java.util.stream.Collectors;
 
 /**
  * Simple StorageAccessAuthorizer implementation that logs the authorization
  * requests and allows operations to proceed.
  *
  * @author gg 2014.09.25
  */
+@SuppressWarnings("rawtypes")
 public class AuditingAuthorizer
         implements StorageAccessAuthorizer
     {
@@ -108,7 +112,7 @@ protected void logEntryRequest(BinaryEntry entry, Subject subject, boolean fWrit
             + entry.getKey()
             + (subject == null ?
                 "\" from unidentified user" :
-                "\" on behalf of " + subject.getPrincipals())
+                "\" on behalf of " + getPrincipalNames(subject))
             + " caused by \"" + StorageAccessAuthorizer.reasonToString(nReason) + "\"");
         }
 
@@ -126,10 +130,22 @@ protected void logMapRequest(BackingMapContext context, Subject subject, boolean
             + context.getCacheName() + '"'
             + (subject == null ?
                 " from unidentified user" :
-                " on behalf of " + subject.getPrincipals())
+                " on behalf of " + getPrincipalNames(subject))
             + " caused by \"" + StorageAccessAuthorizer.reasonToString(nReason) + "\"");
         }
 
+    /**
+     * Return a string containing a comma-delimited list of the principal names
+     * contained in the {@link Subject}.
+     *
+     * @param subject  the {@link Subject} to get the principal names from
+     *
+     * @return the names of the principals
+     */
+    protected String getPrincipalNames(Subject subject)
+        {
+        return subject.getPrincipals().stream().map(Principal::getName).collect(Collectors.joining(","));
+        }
 
     // ----- data fields -----------------------------------------------------
 

prj/coherence-core/src/main/java/com/tangosol/net/security/DefaultController.java

@@ -1,8 +1,8 @@
 /*
- * Copyright (c) 2000, 2022, Oracle and/or its affiliates.
+ * Copyright (c) 2000, 2025, Oracle and/or its affiliates.
  *
  * Licensed under the Universal Permissive License v 1.0 as shown at
- * http://oss.oracle.com/licenses/upl.
+ * https://oss.oracle.com/licenses/upl.
  */
 
 package com.tangosol.net.security;
@@ -37,7 +37,6 @@
 
 import java.net.URL;
 
-import java.security.AccessControlException;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 import java.security.Permissions;
@@ -57,6 +56,8 @@
 import java.util.Map;
 import java.util.Set;
 
+import java.util.stream.Collectors;
+
 import javax.security.auth.Subject;
 
 import javax.security.auth.login.LoginContext;
@@ -89,11 +90,11 @@ public final class DefaultController
     * @param fileKeyStore the key store
     * @param filePermits  the permissions file
     *
-    * @throws IOException             if an I/O error occurs
-    * @throws AccessControlException  if an access control error occurs
+    * @throws IOException          if an I/O error occurs
+    * @throws PermissionException  if an access control error occurs
     */
     public DefaultController(File fileKeyStore, File filePermits)
-            throws IOException, AccessControlException
+            throws IOException
         {
         this(fileKeyStore, filePermits, false);
         }
@@ -106,11 +107,11 @@ public DefaultController(File fileKeyStore, File filePermits)
     * @param filePermits  the permissions file
     * @param fAudit       the audit flag; if true, log all the access requests
     *
-    * @throws IOException             if an I/O error occurs
-    * @throws AccessControlException  if an access control error occurs
+    * @throws IOException          if an I/O error occurs
+    * @throws PermissionException  if an access control error occurs
     */
     public DefaultController(File fileKeyStore, File filePermits, boolean fAudit)
-            throws IOException, AccessControlException
+            throws IOException
         {
         this(fileKeyStore, filePermits, fAudit, (char[]) null);
         }
@@ -125,13 +126,13 @@ public DefaultController(File fileKeyStore, File filePermits, boolean fAudit)
      * @param fAudit       the audit flag; if true, log all the access requests
      * @param pwdProvider  the key store password provider
      *
-     * @throws IOException             if an I/O error occurs
-     * @throws AccessControlException  if an access control error occurs
+     * @throws IOException          if an I/O error occurs
+     * @throws PermissionException  if an access control error occurs
      *
      * @since 12.2.1.4.13
      */
     public DefaultController(File fileKeyStore, File filePermits, boolean fAudit, PasswordProvider pwdProvider)
-            throws IOException, AccessControlException
+            throws IOException
         {
         this(fileKeyStore, filePermits, fAudit, pwdProvider.get());
         }
@@ -145,19 +146,19 @@ public DefaultController(File fileKeyStore, File filePermits, boolean fAudit, Pa
     * @param fAudit       the audit flag; if true, log all the access requests
     * @param sPwd         the key store password
     *
-    * @throws IOException             if an I/O error occurs
-    * @throws AccessControlException  if an access control error occurs
+    * @throws IOException          if an I/O error occurs
+    * @throws PermissionException  if an access control error occurs
     *
     * @since 12.2.1.4.0
     */
     public DefaultController(File fileKeyStore, File filePermits, boolean fAudit, String sPwd)
-            throws IOException, AccessControlException
+            throws IOException
         {
         this(fileKeyStore, filePermits, fAudit, (sPwd == null || sPwd.isEmpty()) ? null : sPwd.toCharArray());
         }
 
     private DefaultController(File fileKeyStore, File filePermits, boolean fAudit, char[] pwdArray)
-            throws IOException, AccessControlException
+            throws IOException
         {
         azzert(fileKeyStore != null && filePermits  != null, "Null files");
 
@@ -218,14 +219,14 @@ private DefaultController(File fileKeyStore, File filePermits, boolean fAudit, c
     * Subject (requestor).
     * <p>
     * This method quietly returns if the access request is permitted,
-    * or throws a suitable AccessControlException if the specified
+    * or throws a suitable PermissionException if the specified
     * authentication is invalid or insufficient.
     *
     * @param permission  the permission object that represents access
     *                    to a clustered resource
     * @param subject     the Subject object representing the requestor
     *
-    * @throws AccessControlException if the specified permission
+    * @throws PermissionException if the specified permission
     *         is not permitted, based on the current security policy
     */
     public void checkPermission(ClusterPermission permission, Subject subject)
@@ -258,7 +259,7 @@ public void checkPermission(ClusterPermission permission, Subject subject)
             logPermissionRequest(permission, subject, false);
             }
 
-        throw new AccessControlException(
+        throw new PermissionException(
             "Insufficient rights to perform the operation", permission);
         }
 
@@ -632,7 +633,7 @@ protected void logPermissionRequest(
         {
         Logger.info((fAllowed ? "Allowed" : "Denied")
             + " request for " + permission + " on behalf of "
-            + subject.getPrincipals());
+            + subject.getPrincipals().stream().map(Principal::getName).collect(Collectors.joining(",")));
         }
 
 

prj/coherence-core/src/main/java/com/tangosol/net/security/PermissionException.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 2000, 2025, Oracle and/or its affiliates.
+ *
+ * Licensed under the Universal Permissive License v 1.0 as shown at
+ * https://oss.oracle.com/licenses/upl.
+ */
+
+package com.tangosol.net.security;
+
+import java.security.Permission;
+
+public class PermissionException
+        extends SecurityException
+    {
+    @java.io.Serial
+    private static final long serialVersionUID = 5138225684096988535L;
+    /**
+     * The permission that caused the exception to be thrown.
+     */
+    private Permission perm;
+
+    /**
+     * Constructs an {@code AccessControlException} with the
+     * specified, detailed message.
+     *
+     * @param s the detail message.
+     */
+    public PermissionException(String s)
+        {
+        super(s);
+        }
+
+
+    /**
+     * Constructs an {@code AccessControlException} with the
+     * specified, detailed message, and the requested permission that caused
+     * the exception.
+     *
+     * @param s the detail message.
+     * @param p the permission that caused the exception.
+     */
+    public PermissionException(String s, Permission p)
+        {
+        super(s);
+        perm = p;
+        }
+
+    /**
+     * Gets the {@code Permission} object associated with this exception, or
+     * {@code null} if there was no corresponding {@code Permission} object.
+     *
+     * @return the Permission object.
+     */
+    public Permission getPermission()
+        {
+        return perm;
+        }
+    }