RFR: 8151893: Add security property to configure XML Signature secure validation mode
Xuelei Fan
xuelei.fan at oracle.com
Thu Aug 25 13:47:58 UTC 2016
>> http://cr.openjdk.java.net/~mullan/webrevs/8151893/webrev.01/
Looks fine to me except the following minor comment.
java.security
-------------
818 # AlgConstraint
819 # "disallowAlg" Uri
...
829 # For AlgConstraint, Uri is the algorithm URI String that is not
allowed.
The "disallowAlg" has said the same thing as line 829. As you did not
explain other options, may be this one can also be removed. Minor comment.
Policy.java
-----------
73 StringTokenizer st = new StringTokenizer(entry);
StringTokenizer is a legacy class per its specification, may be better
to use String.split:
String[] st = entry.split("\\s");
103 disallowedRefUriSchemes.add(scheme.toLowerCase());
Better to use toLowerCase(Locale.ENGLISH). There are issues to use
toUpperCase/toLowerCase when comparing two case-insensitive strings. See
JDK-6972387.
The same comment for other use of toLowerCase().
Xuelei
More information about the security-dev
mailing list