RFR: 8281561: Disable http DIGEST mechanism with MD5 by default [v3]
Daniel Fuchs
dfuchs at openjdk.java.net
Tue Mar 15 13:06:49 UTC 2022
On Tue, 15 Mar 2022 10:24:43 GMT, Michael McMahon <michaelm at openjdk.org> wrote:
>> src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java line 102:
>>
>>> 100: propPrefix + "reEnabledAlgorithms";
>>> 101:
>>> 102: private static final Set<String> disabledAlgorithms = new HashSet<>();
>>
>> It would be much better if this was an immutable set to make it MT-safe. You could set the value in the static block below using Set.copyOf().
>
> The Set is private to the class and is not modified after the static initializer completes. It's not clear to me how using Set.copyOf provides stronger MT-safe guarantees than this.
Better safe than sorry. An alternative could be to use ConcurrentHashMap.newKeySet(); But since it's supposed to be both immutable and MT-safe then Set.copyOf() would probably be a lighter and better choice.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
More information about the net-dev
mailing list