RFR: 8281561: Disable http DIGEST mechanism with MD5 by default [v2]
Michael McMahon
michaelm at openjdk.java.net
Thu Mar 10 10:51:41 UTC 2022
On Wed, 9 Mar 2022 14:23:24 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Michael McMahon has updated the pull request incrementally with two additional commits since the last revision:
>>
>> - update
>> - update after first review round
>
> src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java line 99:
>
>> 97: // A net property which overrides the disabled set above.
>> 98: private static final String enabledAlgPropName =
>> 99: "http.auth.digest.enabledAlgorithms";
>
> I'm not familiar with the practice of overriding a security property with a net property. Just FYI, in security libs, we often override a security property with a system property and we have a dedicated method for this at https://github.com/openjdk/jdk/blob/6765f902505fbdd02f25b599f942437cd805cad1/src/java.base/share/classes/sun/security/util/SecurityProperties.java#L46.
A net property can be a system property. But, it can also be specified in the net.properties file. We're using different names for the security and net property as the security property specifies algortithms to be disabled and the net property ones to be (re)enabled.
> src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java line 232:
>
>> 230: ? StandardCharsets.UTF_8
>> 231: : StandardCharsets.ISO_8859_1;
>> 232: }
>
> Do you want to reject other values? According to the RFC, `utf-8` is the only valid one.
You mean reject the whole response as a protocol error? I guess we probably should do that.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
More information about the net-dev
mailing list