Redundant check in java.security.BasicPermission.implies()

Sean Mullan sean.mullan at oracle.com
Mon Dec 2 19:35:40 UTC 2013


On 12/01/2013 08:08 PM, Tom Hawtin wrote:
> On 29/11/2013 20:29, Alex Yursha wrote:
>> The javadocs for the class java.security.BasicPermission says, that the
>> naming convention for BasicPermission names follows the hierarchical
>> property naming convention with possible wildcards. AFAIU, *hierarchical
>> property naming convention* assumes that you specify either a simple
>> identifier like /user/, or a sequence of dot-separated identifiers like
>> /user.group.id <http://user.group.id> - /so what is the purpose for
>> names like /user. /with a dot at the end? It seems like it contradicts
>> the documentation and has no purpose.
>
> As code, including configuration, outside the JDK may be relying upon
> the behaviour of BasicPermission, this would seem unlikely to change.

Yes, we need to be extremely careful about making any changes to the 
meaning of wildcards as this class has been in the JDK since 1.2.

In retrospect, the "*" syntax made the wildcard syntax more complicated. 
A name ending in '.' should have meant it was a wildcard. This would 
have avoided the corner case in implies and you could just use 
String.startsWith. But it is probably too risky to make that type of change.

> The documentation may get clarified.

I have filed a CR to clarify what a wildcard name means when it ends 
with a "." and to fix/improve the comments in the implies method.

https://bugs.openjdk.java.net/browse/JDK-8029416

> I cannot see find any definition of "the hierarchical property naming
> convention". BasicPermission accepts any non-null non-empty name,
> including those with a trailing dot. If I had to invent a meaning of the
> trailing dot, I'd say it was superfluous, which matches the code.
>
> As usual with ad hoc text formats the have parsing spread around the
> code and no clear specification, they're a bit of a mess.

It's a minor clarification issue in my view. I think if we fixed the 
comment in implies and added an example specifying how names ending with 
'.' are handled, it would help.

Thanks,
Sean




More information about the security-dev mailing list