RFR: JDK-8057784 - Get rid of the ActionFactory dependencies on the permission classes
Sergey Nazarkin
sergey.nazarkin at oracle.com
Tue Sep 9 14:26:04 UTC 2014
Agree with Jen. New implementation is vulnerable against security
attacks since every body can substitute ActionFactory fields.
/Sergey
09.09.2014 18:11, Jen Dority пишет:
> Hi Alexey,
>
> I'm concerned about the change to public for the static fields in
> ActionFactory. Wouldn't the original implementation be better from a
> secure-coding perspective?
>
> Jen
>
> On 9/9/2014 9:41 AM, alexey mironov wrote:
>> issue: https://bugs.openjdk.java.net/browse/JDK-8057784/
>>
>> webrev: http://cr.openjdk.java.net/~alkonsta/8057784.2/
>>
>> Hi Riaz,
>>
>> I make initialization *Permission fields from the static initializer.
>> Here is a new webrev.
>>
>> Regards,
>> Alexey
>>
>>
>> On 08.09.2014 19:18, Riaz A Aimandi wrote:
>>> Hi Alexey,
>>>
>>> These changes look fine but just one quick question.
>>> Is it possible to initialize these *Permission fields from the
>>> static initializer of the corresponding Permission classes, where
>>> you are already initializing action strings constants ? If not,
>>> could you mark these *Permission fields as private ?
>>>
>>> Thanks,
>>>
>>> - riaz
>>>
>>> On Sep 8, 2014, at 11:08 AM, alexey mironov
>>> <alexey.mironov at oracle.com> wrote:
>>>
>>>> issue: https://bugs.openjdk.java.net/browse/JDK-8057784
>>>> webrev: http://cr.openjdk.java.net/~alkonsta/8057784.1/
>>>>
>>>> Hi All,
>>>> Sorry, forgot issue link.
>>>>
>>>> Regards,
>>>> Alexey
>>>>
>>>> On 08.09.2014 18:43, alexey mironov wrote:
>>>>> issue: JDK-8057784 Get rid of the ActionFactory dependencies on
>>>>> the permission classes
>>>>> webrev: http://cr.openjdk.java.net/~alkonsta/8057784.1/
>>>>>
>>>>> Hi All,
>>>>>
>>>>> Please review the changes made in order to build without some
>>>>> packages (atcmd, gpio, ...) that use ActionFactory for permission
>>>>> check.
>>>>>
>>>>> Regards,
>>>>> Alexey
>>
>
More information about the dio-dev
mailing list