RFR: 8348986: Improve coverage of enhanced exception messages [v10]
Daniel Fuchs
dfuchs at openjdk.org
Mon May 19 11:09:00 UTC 2025
On Fri, 16 May 2025 11:42:08 GMT, Michael McMahon <michaelm at openjdk.org> wrote:
>> Hi,
>>
>> Enhanced exception messages are designed to hide sensitive information such as hostnames, IP
>> addresses from exception message strings, unless the enhanced mode for the specific category
>> has been explicitly enabled. Enhanced exceptions were first introduced in 8204233 in JDK 11 and
>> updated in 8207846.
>>
>> This PR aims to increase the coverage of enhanced exception messages in the networking code.
>> A limited number of exceptions are already hidden (restricted) by default. The new categories and
>> exceptions in this PR will be restricted on an opt-in basis, ie. the default mode will be enhanced
>> (while preserving the existing behavior).
>>
>> The mechanism is controlled by the security/system property "jdk.includeInExceptions" which takes as value
>> a comma separated list of category names, which identify groups of exceptions where the exception
>> message may be enhanced. Any category not listed is "restricted" which means that potentially
>> sensitive information (such as hostnames, IP addresses, user identities) are excluded from the message text.
>>
>> The changes to the java.security conf file describe the exact changes in terms of the categories now
>> supported and any changes in behavior.
>>
>> Thanks,
>> Michael
>
> Michael McMahon has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 26 commits:
>
> - reduced number of new categories
> - Merge branch 'master' into 8348986-exceptions
> - Merge branch 'master' into 8348986-exceptions
> - Merge branch 'master' into 8348986-exceptions
> - Merge branch 'master' into 8348986-exceptions
> - Review update
> - review update
> - Merge branch 'master' into 8348986-exceptions
> - update to minimise code changes
> - Merge branch 'master' into 8348986-exceptions
> - ... and 16 more: https://git.openjdk.org/jdk/compare/64a858c7...3b7861b0
src/java.base/share/classes/jdk/internal/util/Exceptions.java line 78:
> 76: * controlled. Consider using a unique value for the
> 77: * SecurityProperties.includedInExceptions(String value) mechanism
> 78: * Current values defined are "socket", "jar", "userInfo"
If I am not mistaken the "socket" info is no longer here.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23929#discussion_r2095457460
More information about the core-libs-dev
mailing list