RFR: JDK-8243376: java.net.SocketPermission.implies(Permission p) spec is mismatching with implementation [v2]

Michael McMahon michaelm at openjdk.java.net
Mon Jan 11 15:06:58 UTC 2021 

On Wed, 6 Jan 2021 04:34:12 GMT, Jayashree S Kumar <github.com+31532647+jaysk1 at openjdk.org> wrote:

>> Issue
>> 
>> https://bugs.openjdk.java.net/browse/JDK-8243376
>> 
>> Problem
>> 
>> The scenario is: 
>> - Some specified target hostname resolves to two IP addresses (always the same address pair). 
>> - The DNS resolved order of the two ip addresses changes (a usual LoadBalancer type behavior). 
>> - The CNAME of the two ip addresses differ. 
>> 
>> In SocketPermission class(void getIP() method), it internally resolves and saves only the first IP address resolved, not all the IP addresses resolved. 
>> - Depending on when the implier/implied SocketPermission hostname is resolved, the resolved addresses order differs, and the internally saved IP address mismatches, resulting on SocketPermission#implies() false. 
>> 
>> 
>> Michael McMahon kindly reviewed and suggested changes: https://mail.openjdk.java.net/pipermail/net-dev/2020-May/014001.html
>
> Jayashree S Kumar has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Incorporated changes suggested by Vyom in testcase

Hi Jay,
Looking back to my original comment, I think I suggested that the fix should account for multiple cname values (one for each IP address in the addresses array). That is still my view. In other words, cname needs to be an array, the same length as addresses (except in the case where the permission was constructed using a wildcard - in that case it can continue as a single value, ie the array would have length 1).

Your solution here drops the caching aspect, and every time getCanonName() is called it will do the DNS reverse lookup which could slow things down a lot. Assuming that DNS always returns the same values but just in a different order, then it should be possible to cache all the canonical names and do a comparison across them all, without having to go back to DNS each time.

- Michael.

-------------

Changes requested by michaelm (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/1916

More information about the net-dev mailing list