RFR: JDK-8057784 - Get rid of the ActionFactory dependencies on the permission classes

alexey mironov alexey.mironov at oracle.com
Thu Sep 25 13:43:31 UTC 2014 

issue: https://bugs.openjdk.java.net/browse/JDK-8057784/

webrev: http://cr.openjdk.java.net/~alkonsta/8057784.3/

Please review the changes made in order to build without some packages 
(atcmd, gpio, ...) that use ActionFactory for permission check.
All fields are private now.

Regards,
Alexey
On 09.09.2014 19:12, Riaz A Aimandi wrote:
> Yes, I didn’t notice that the scope of fields expanded from package-protected to public.
> Please go back to your original and just mark those fields as private.
>
> Thanks,
>
> - riaz
>
> On Sep 9, 2014, at 10:26 AM, Sergey Nazarkin <sergey.nazarkin at oracle.com> wrote:
>
>> Agree with Jen. New implementation is vulnerable against security attacks since every body can substitute ActionFactory fields.
>>
>> /Sergey
>>
>> 09.09.2014 18:11, Jen Dority пишет:
>>> Hi Alexey,
>>>
>>> I'm concerned about the change to public for the static fields in ActionFactory. Wouldn't the original implementation be better from a secure-coding perspective?
>>>
>>> Jen
>>>
>>> On 9/9/2014 9:41 AM, alexey mironov wrote:
>>>> issue: https://bugs.openjdk.java.net/browse/JDK-8057784/
>>>>
>>>> webrev: http://cr.openjdk.java.net/~alkonsta/8057784.2/
>>>>
>>>> Hi Riaz,
>>>>
>>>> I make initialization *Permission fields from the static initializer. Here is a new webrev.
>>>>
>>>> Regards,
>>>> Alexey
>>>>
>>>>
>>>> On 08.09.2014 19:18, Riaz A Aimandi wrote:
>>>>> Hi Alexey,
>>>>>
>>>>> These changes look fine but just one quick question.
>>>>> Is it possible to initialize these *Permission fields from the static initializer of the corresponding Permission classes, where you are already initializing action strings constants ? If not, could you mark these *Permission fields as private ?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> - riaz
>>>>>
>>>>> On Sep 8, 2014, at 11:08 AM, alexey mironov <alexey.mironov at oracle.com> wrote:
>>>>>
>>>>>> issue: https://bugs.openjdk.java.net/browse/JDK-8057784
>>>>>> webrev: http://cr.openjdk.java.net/~alkonsta/8057784.1/
>>>>>>
>>>>>> Hi All,
>>>>>> Sorry, forgot issue link.
>>>>>>
>>>>>> Regards,
>>>>>> Alexey
>>>>>>
>>>>>> On 08.09.2014 18:43, alexey mironov wrote:
>>>>>>> issue: JDK-8057784 Get rid of the ActionFactory dependencies on the permission classes
>>>>>>> webrev: http://cr.openjdk.java.net/~alkonsta/8057784.1/
>>>>>>>
>>>>>>> Hi All,
>>>>>>>
>>>>>>> Please review the changes made in order to build without some packages (atcmd, gpio, ...) that use ActionFactory for permission check.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Alexey

More information about the dio-dev mailing list