6995424 Code Review Request
Sean Mullan
sean.mullan at oracle.com
Wed Nov 17 20:41:01 UTC 2010
On 11/17/2010 02:34 PM, Mandy Chung wrote:
> Hi Sean,
>
> On 11/16/10 5:56 AM, Sean Mullan wrote:
>> http://cr.openjdk.java.net/~mullan/6995424/webrev.00/
>>
>
> Policy.java:
> I was initially confused with the meaning of 'compatPolicy'. I thought
> that when 'compatPolicy' is set to true, it means that the deprecated
> javax.security.auth.Policy class or the legacy
> com.sun.security.auth.PolicyFile is used for backward compatibility
> support. It turns out that it's the reverse as it's set in line 241 and
> 295. Should it be renamed to 'useStandardPolicy' to make it clear?
I agree it is confusing but since that was the prior name I left it
alone. What we are trying to find out is if the application is using a
*custom* (one they wrote themselves and not
com.sun.security.auth.PolicyFile) JAAS policy provider.
The flag essentially means: "if true, provide backwards compatibility
for a deprecated, custom JAAS policy provider".
I am open to changing the name but didn't feel that it was strictly
necessary because I am not changing the meaning of it.
> However, in line 273, javax.security.auth.Policy.setPolicy sets
> compatPolicy to true. Is the given Policy object a
> javax.security.auth.Policy object? Should it set it to false?
No, if someone invokes Policy.setPolicy then they are using a custom
JAAS policy provider.
> Probably I'm missing something here:
>
> 276 // maintain backwards compatibility for people who provide
> 277 // their own javax.security.auth.Policy implementations
>
>
> It would help if some comments are added to explain further.
Ok, let me add some comments and send another webrev.
--Sean
More information about the security-dev
mailing list