RFR: 8015081

Xuelei Fan xuelei.fan at oracle.com
Tue Jun 24 15:51:35 UTC 2014

1. Why make the following update? removeAll() is a method of AbstractSet.

     private static class SecureSet<E>
-        extends AbstractSet<E>
-        implements java.io.Serializable {
+        implements Set<E>, java.io.Serializable {

2. Per Java coding conversions, please always use braces even for single
line conditional statement. For example:
1365     if (o == this)
1366          return true;
         if (o == this) {
             return true;

3. The implementation of SecureSet.equals() may not follow the spec of
equals() method.  See item 8 of "Effective Java".

1368     if (!(o instanceof Set))
1369         return false;


1368     if (!(o instanceof SecureSet))
1369         return false;

Or I think you can re-use the spec of AbstractSet.equals() if SecureSet
extends AbstractSet.

Otherwise, looks fine to me.


On 6/20/2014 9:11 AM, Jamil Nimeh wrote:
> Hello all,
> This revision for the fix for 8015081 has the following test changes:
> Removal of the static byte buffers for serialized data in lieu of a more
> dynamic approach.  A stripped down version of Subject in its own package
> is now being compiled alongside SubjectNullTests.java. This version of
> Subject allows the creation and serialization of Subjects with null
> elements in the principals SecureSet. Immediately following
> serialization, this special Subject's class designation is overwritten
> to be javax.security.auth.Subject.  When deserialization occurs, the
> correct (JDK 9) version of Subject will be used and null element checks
> will take place.
> Thanks go to Weijun Wang for this testing approach.
> http://cr.openjdk.java.net/~weijun/8015081/webrev.07
> --Jamil

More information about the security-dev mailing list