RFR: 8315487: Security Providers Filter [v13]
Xue-Lei Andrew Fan
xuelei at openjdk.org
Sun Dec 15 09:17:38 UTC 2024
On Sun, 15 Dec 2024 07:18:02 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:
> It's only the combination of a Provider that overrides getService/getServices + does not call putService/put + overrides newInstance without calling its parent + uses a non-Java SE service type that would be unfiltered.
FYI, Java SE service type class is not a final class normally. It means applications can override it, and thus can break the filter boundary. Github search implies a few cases that override Signature, [here is one](https://github.com/cping/RipplePower/blob/4bdfd7ddca69e2cfb2c33852379844880cfe2a2a/eclipse/jcoinlibs/src/net/i2p/crypto/eddsa/EdDSAEngine.java) with public constructor and get used. Developers can make more surprises even Java API specification are strictly followed.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/15539#issuecomment-2543613444
More information about the core-libs-dev
mailing list