From 3c84fdebc4217f8095ee83c70f7280eaa21686ec Mon Sep 17 00:00:00 2001
From: Oleg Kalnichevski <olegk@apache.org>
Date: Wed, 22 Oct 2025 09:22:58 +0200
Subject: [PATCH] Removed AccessController#doPrivileged

---
 .../http/impl/async/H2AsyncClientBuilder.java  |  8 +-------
 .../impl/async/HttpAsyncClientBuilder.java     | 12 +++---------
 .../http/impl/classic/HttpClientBuilder.java   |  4 +---
 .../socket/PlainConnectionSocketFactory.java   | 18 +-----------------
 .../hc/client5/http/ssl/HttpsSupport.java      | 11 ++---------
 .../http/ssl/SSLConnectionSocketFactory.java   | 18 +-----------------
 6 files changed, 9 insertions(+), 62 deletions(-)

diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/H2AsyncClientBuilder.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/H2AsyncClientBuilder.java
index 8e6b02dd92..998442faa5 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/H2AsyncClientBuilder.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/H2AsyncClientBuilder.java
@@ -29,8 +29,6 @@
 
 import java.io.Closeable;
 import java.io.IOException;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.LinkedList;
@@ -754,7 +752,7 @@ public CloseableHttpAsyncClient build() {
         String userAgentCopy = this.userAgent;
         if (userAgentCopy == null) {
             if (systemProperties) {
-                userAgentCopy = getProperty("http.agent", null);
+                userAgentCopy = System.getProperty("http.agent", null);
             }
             if (userAgentCopy == null) {
                 userAgentCopy = VersionInfo.getSoftwareInfo("Apache-HttpAsyncClient",
@@ -981,10 +979,6 @@ public CloseableHttpAsyncClient build() {
                 closeablesCopy);
     }
 
-    private static String getProperty(final String key, final String defaultValue) {
-        return AccessController.doPrivileged((PrivilegedAction<String>) () -> System.getProperty(key, defaultValue));
-    }
-
     static class IdleConnectionEvictor implements Closeable {
 
         private final Thread thread;
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java
index b2f55bba79..e38576d8ed 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java
@@ -29,8 +29,6 @@
 
 import java.io.Closeable;
 import java.net.ProxySelector;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.LinkedHashMap;
@@ -1001,7 +999,7 @@ public CloseableHttpAsyncClient build() {
         String userAgentCopy = this.userAgent;
         if (userAgentCopy == null) {
             if (systemProperties) {
-                userAgentCopy = getProperty("http.agent", null);
+                userAgentCopy = System.getProperty("http.agent", null);
             }
             if (userAgentCopy == null) {
                 userAgentCopy = VersionInfo.getSoftwareInfo("Apache-HttpAsyncClient",
@@ -1121,7 +1119,7 @@ public CloseableHttpAsyncClient build() {
             } else if (this.proxySelector != null) {
                 routePlannerCopy = new SystemDefaultRoutePlanner(schemePortResolverCopy, this.proxySelector);
             } else if (systemProperties) {
-                final ProxySelector defaultProxySelector = AccessController.doPrivileged((PrivilegedAction<ProxySelector>) ProxySelector::getDefault);
+                final ProxySelector defaultProxySelector = ProxySelector.getDefault();
                 routePlannerCopy = new SystemDefaultRoutePlanner(schemePortResolverCopy, defaultProxySelector);
             } else {
                 routePlannerCopy = new DefaultRoutePlanner(schemePortResolverCopy);
@@ -1159,7 +1157,7 @@ public CloseableHttpAsyncClient build() {
         ConnectionReuseStrategy reuseStrategyCopy = this.reuseStrategy;
         if (reuseStrategyCopy == null) {
             if (systemProperties) {
-                final String s = getProperty("http.keepAlive", "true");
+                final String s = System.getProperty("http.keepAlive", "true");
                 if ("true".equalsIgnoreCase(s)) {
                     reuseStrategyCopy = DefaultClientConnectionReuseStrategy.INSTANCE;
                 } else {
@@ -1265,8 +1263,4 @@ public CloseableHttpAsyncClient build() {
                 closeablesCopy);
     }
 
-    private String getProperty(final String key, final String defaultValue) {
-        return AccessController.doPrivileged((PrivilegedAction<String>) () -> System.getProperty(key, defaultValue));
-    }
-
 }
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/HttpClientBuilder.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/HttpClientBuilder.java
index 0f8c811284..3fada22452 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/HttpClientBuilder.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/HttpClientBuilder.java
@@ -29,8 +29,6 @@
 
 import java.io.Closeable;
 import java.net.ProxySelector;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.LinkedHashMap;
@@ -1023,7 +1021,7 @@ public CloseableHttpClient build() {
             } else if (this.proxySelector != null) {
                 routePlannerCopy = new SystemDefaultRoutePlanner(schemePortResolverCopy, this.proxySelector);
             } else if (systemProperties) {
-                final ProxySelector defaultProxySelector = AccessController.doPrivileged((PrivilegedAction<ProxySelector>) ProxySelector::getDefault);
+                final ProxySelector defaultProxySelector = ProxySelector.getDefault();
                 routePlannerCopy = new SystemDefaultRoutePlanner(schemePortResolverCopy, defaultProxySelector);
             } else {
                 routePlannerCopy = new DefaultRoutePlanner(schemePortResolverCopy);
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/socket/PlainConnectionSocketFactory.java b/httpclient5/src/main/java/org/apache/hc/client5/http/socket/PlainConnectionSocketFactory.java
index e9a7721aeb..840a0c03ac 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/socket/PlainConnectionSocketFactory.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/socket/PlainConnectionSocketFactory.java
@@ -31,16 +31,12 @@
 import java.net.InetSocketAddress;
 import java.net.Proxy;
 import java.net.Socket;
-import java.security.AccessController;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
 
 import org.apache.hc.core5.annotation.Contract;
 import org.apache.hc.core5.annotation.ThreadingBehavior;
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.http.protocol.HttpContext;
 import org.apache.hc.core5.io.Closer;
-import org.apache.hc.core5.util.Asserts;
 import org.apache.hc.core5.util.TimeValue;
 
 /**
@@ -92,19 +88,7 @@ public Socket connectSocket(
             sock.bind(localAddress);
         }
         try {
-            // Run this under a doPrivileged to support lib users that run under a SecurityManager this allows granting connect permissions
-            // only to this library
-            try {
-                AccessController.doPrivileged((PrivilegedExceptionAction<Object>) () -> {
-                    sock.connect(remoteAddress, TimeValue.isPositive(connectTimeout) ? connectTimeout.toMillisecondsIntBound() : 0);
-                    return null;
-                });
-            } catch (final PrivilegedActionException e) {
-                Asserts.check(e.getCause() instanceof IOException,
-                        "method contract violation only checked exceptions are wrapped: " + e.getCause());
-                // only checked exceptions are wrapped - error and RTExceptions are rethrown by doPrivileged
-                throw (IOException) e.getCause();
-            }
+            sock.connect(remoteAddress, TimeValue.isPositive(connectTimeout) ? connectTimeout.toMillisecondsIntBound() : 0);
         } catch (final IOException ex) {
             Closer.closeQuietly(sock);
             throw ex;
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/HttpsSupport.java b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/HttpsSupport.java
index 7791643ff5..910d345f58 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/HttpsSupport.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/HttpsSupport.java
@@ -27,9 +27,6 @@
 
 package org.apache.hc.client5.http.ssl;
 
-import java.security.AccessController;
-import java.security.PrivilegedAction;
-
 import javax.net.ssl.HostnameVerifier;
 
 import org.apache.hc.client5.http.psl.PublicSuffixMatcherLoader;
@@ -49,16 +46,12 @@ private static String[] split(final String s) {
         return s.split(" *, *");
     }
 
-    private static String getProperty(final String key) {
-        return AccessController.doPrivileged((PrivilegedAction<String>) () -> System.getProperty(key));
-    }
-
     public static String[] getSystemProtocols() {
-        return split(getProperty("https.protocols"));
+        return split(System.getProperty("https.protocols"));
     }
 
     public static String[] getSystemCipherSuits() {
-        return split(getProperty("https.cipherSuites"));
+        return split(System.getProperty("https.cipherSuites"));
     }
 
     public static HostnameVerifier getDefaultHostnameVerifier() {
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SSLConnectionSocketFactory.java b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SSLConnectionSocketFactory.java
index 118f3e81fe..a2ed392857 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SSLConnectionSocketFactory.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SSLConnectionSocketFactory.java
@@ -33,9 +33,6 @@
 import java.net.Proxy;
 import java.net.Socket;
 import java.net.SocketAddress;
-import java.security.AccessController;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -66,7 +63,6 @@
 import org.apache.hc.core5.ssl.SSLContexts;
 import org.apache.hc.core5.ssl.SSLInitializationException;
 import org.apache.hc.core5.util.Args;
-import org.apache.hc.core5.util.Asserts;
 import org.apache.hc.core5.util.TimeValue;
 import org.apache.hc.core5.util.Timeout;
 import org.slf4j.Logger;
@@ -279,19 +275,7 @@ protected void connectSocket(
         if (LOG.isDebugEnabled()) {
             LOG.debug("Connecting socket to {} with timeout {}", remoteAddress, connectTimeout);
         }
-        // Run this under a doPrivileged to support lib users that run under a SecurityManager this allows granting connect permissions
-        // only to this library
-        try {
-            AccessController.doPrivileged((PrivilegedExceptionAction<Object>) () -> {
-                sock.connect(remoteAddress, Timeout.defaultsToDisabled(connectTimeout).toMillisecondsIntBound());
-                return null;
-            });
-        } catch (final PrivilegedActionException e) {
-            Asserts.check(e.getCause() instanceof IOException,
-                    "method contract violation only checked exceptions are wrapped: " + e.getCause());
-            // only checked exceptions are wrapped - error and RTExceptions are rethrown by doPrivileged
-            throw (IOException) e.getCause();
-        }
+        sock.connect(remoteAddress, Timeout.defaultsToDisabled(connectTimeout).toMillisecondsIntBound());
     }
 
     @Override