Redundant check in java.security.BasicPermission.implies()

[Alex Yursha]

Hi everyone, the summary of this issue is that it seems like
java.security.BasicPermission.implies() executes a useless check that
duplicates the functionality provided by java.lang.String.startsWith().

Below is a jdk7 code for java.security.BasicPermission.implies() method
with the lines of interest highlighted in bold:

public boolean implies(Permission p) {
        if ((p == null) || (p.getClass() != getClass()))
            return false;

        BasicPermission that = (BasicPermission) p;

        if (this.wildcard) {
            if (that.wildcard) {
                // one wildcard can imply another
                return that.path.startsWith(path);
            } else {
                *// make sure ap.path is longer so a.b.* doesn't imply a.b*
*                return (that.path.length() > this.path.length()) &&*
*                    that.path.startsWith(this.path);*
            }
        } else {
            if (that.wildcard) {
                // a non-wildcard can't imply a wildcard
                return false;
            }
            else {
                return this.path.equals(that.path);
            }
        }
    }

As the highlighted comment states, the length comparison check is performed
in order to prevent such cases where "a.b.*" would imply "a.b". But the
contract for java.lang.String.startsWith() is such that if the prefix
length is greater than the string length than that test will fail. So it
seems like java.security.BasicPermission.implies() tries to duplicate the
check that is performed by java.lang.String.startswith() out of the box.

Regards,
Alex Yursha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20131129/362c13ab/attachment.htm>