eclipse-openj9 · pshipton · Sep 12, 2022 · Mar 31, 2022
diff --git a/jcl/src/java.base/share/classes/java/security/AccessController.java b/jcl/src/java.base/share/classes/java/security/AccessController.java
@@ -1,4 +1,4 @@
-/*[INCLUDE-IF Sidecar18-SE]*/
+/*[INCLUDE-IF JAVA_SPEC_VERSION >= 8]*/
 /*******************************************************************************
  * Copyright (c) 1998, 2022 IBM Corp. and others
  *
@@ -832,7 +832,7 @@ public static <T> T doPrivileged (PrivilegedExceptionAction<T> action, AccessCon
  */
 @CallerSensitive
 public static <T> T doPrivilegedWithCombiner(PrivilegedAction<T> action) {
-	return doPrivileged(action, getContextHelper(true));
+	return doPrivileged(action, doPrivilegedWithCombinerHelper(null));
 }
 
 /**
@@ -859,7 +859,7 @@ public static <T> T doPrivilegedWithCombiner(PrivilegedAction<T> action) {
 public static <T> T doPrivilegedWithCombiner(PrivilegedExceptionAction<T> action)
 	throws PrivilegedActionException
 {
-	return doPrivileged(action, getContextHelper(true));
+	return doPrivileged(action, doPrivilegedWithCombinerHelper(null));
 }
 
 /**
@@ -938,15 +938,7 @@ public static <T> T doPrivilegedWithCombiner(PrivilegedAction<T> action,
 		AccessControlContext context, Permission... perms)
 {
 	checkPermsNPE(perms);
-	ProtectionDomain domain = getCallerPD(1);
-	ProtectionDomain[] pdArray = (domain == null) ? null : new ProtectionDomain[] { domain };
-	AccessControlContext fixedContext = new AccessControlContext(context, pdArray, getNewAuthorizedState(context, domain));
-	if (null == context) {
-		AccessControlContext parentContext = getContextHelper(true);
-		fixedContext.domainCombiner = parentContext.domainCombiner;
-		fixedContext.nextStackAcc = parentContext;
-	}
-	return doPrivileged(action, fixedContext, perms);
+	return doPrivileged(action, doPrivilegedWithCombinerHelper(context), perms);
 }
 
 /**
@@ -1021,15 +1013,27 @@ public static <T> T doPrivilegedWithCombiner(PrivilegedExceptionAction<T> action
 	throws PrivilegedActionException
 {
 	checkPermsNPE(perms);
-	ProtectionDomain domain = getCallerPD(1);
+	return doPrivileged(action, doPrivilegedWithCombinerHelper(context), perms);
+}
+
+/**
+ * Helper method to construct an AccessControlContext for doPrivilegedWithCombiner methods.
+ *
+ * @param   context an AccessControlContext, if it is null, use getContextHelper() to construct a context.
+ *
+ * @return  An AccessControlContext to be applied to the doPrivileged(action, context, perms).
+ */
+@CallerSensitive
+private static AccessControlContext doPrivilegedWithCombinerHelper(AccessControlContext context) {
+	ProtectionDomain domain = getCallerPD(2);
 	ProtectionDomain[] pdArray = (domain == null) ? null : new ProtectionDomain[] { domain };
 	AccessControlContext fixedContext = new AccessControlContext(context, pdArray, getNewAuthorizedState(context, domain));
-	if (null == context) {
+	if (context == null) {
 		AccessControlContext parentContext = getContextHelper(true);
 		fixedContext.domainCombiner = parentContext.domainCombiner;
 		fixedContext.nextStackAcc = parentContext;
 	}
-	return doPrivileged(action, fixedContext, perms);
+	return fixedContext;
 }
 
 }
diff --git a/test/functional/Java8andUp/src/org/openj9/test/java/security/Test_AccessController.java b/test/functional/Java8andUp/src/org/openj9/test/java/security/Test_AccessController.java
@@ -1,7 +1,7 @@
 package org.openj9.test.java.security;
 
 /*******************************************************************************
- * Copyright (c) 1998, 2020 IBM Corp. and others
+ * Copyright (c) 1998, 2022 IBM Corp. and others
  *
  * This program and the accompanying materials are made available under
  * the terms of the Eclipse Public License 2.0 which accompanies this
@@ -255,27 +255,21 @@ public Boolean run() {
 					return AccessController.doPrivilegedWithCombiner(new PrivilegedAction<Boolean>() {
 						public Boolean run() {
 							try {
-								try {
-									AccessControlContext accNoMH = AccessController.getContext();
-									AccessControlContext accViaMH = (AccessControlContext)MethodHandles.lookup()
-											.findStatic(AccessController.class, "getContext",
-													MethodType.methodType(AccessControlContext.class))
-											.invoke();
-									if (!accNoMH.equals(accViaMH)) {
-										logger.error("AccessControlContext returned from AccessController.getContext() should be equal w/o MethodHandles.");
-										return false;
-									}
-								} catch (Throwable e) {
-									logger.error("FAIL: unexpected exception." + e);
+								AccessControlContext accNoMH = AccessController.getContext();
+								AccessControlContext accViaMH = (AccessControlContext)MethodHandles.lookup()
+										.findStatic(AccessController.class, "getContext",
+												MethodType.methodType(AccessControlContext.class))
+										.invoke();
+								if (!accNoMH.equals(accViaMH)) {
+									logger.error("AccessControlContext returned from AccessController.getContext() should be equal w/o MethodHandles.");
 									return false;
 								}
-
-								AccessController.checkPermission(READ_PROP_USER_DIR);
-								logger.error("FAILED: checkPermission should NOT succeed!");
+							} catch (Throwable e) {
+								logger.error("FAIL: unexpected exception." + e);
 								return false;
-							} catch (AccessControlException ace) {
-								logger.debug(PASSED_ACCESS_CONTROL_EXCEPTION_EXPECTED);
 							}
+							// The action is performed according to the caller's protection domain, not the upper doPrivileged AccessControlContext.
+							AccessController.checkPermission(READ_PROP_USER_DIR);
 							return true;
 						}
 					});