RFR [11] 8207846: Generalize the jdk.net.includeInExceptions security property
Chris Hegarty
chris.hegarty at oracle.com
Fri Jul 20 11:38:05 UTC 2018
JDK-8204233 added a new security property, `jdk.net.includeInExceptions`,
to include additional, potentially security sensitive, information in
exception detail messages in the networking area. The property accepts a
comma separated list of values that specifies the particular type of
extra detail information to add.
Since its addition, in JDK 11, further uses have arisen to include
additional, potentially security sensitive, information in exception
detail messages in other areas, namely the java.util.jar APIs. See
JDK-8205525, and http://mail.openjdk.java.net/pipermail/core-libs-dev/2018-July/054284.html
Given that this mechanism will likely be used more generally across
different parts of the platform, it seem prudent to rename the property
to be less area-specific, thus allowing for additional argument values
to be specified, like for example `jarPath`.
The following are the suggested changes to the java.security file:
$ hg extdiff -p diff -o -C1 src/java.base/share/conf/security/java.security
*** 1062,1074 ****
#
! # Enhanced exception message text
#
! # By default, socket exception messages do not include potentially sensitive
! # information such as hostnames or port numbers. This property may be set to one
! # or more values, separated by commas, and with no white-space. Each value
! # represents a category of enhanced information. Currently, the only category defined
! # is "hostInfo" which enables more detailed information in the IOExceptions
! # thrown by java.net.Socket and also the socket types in the java.nio.channels package.
! # The setting in this file can be overridden by a system property of the same name
! # and with the same syntax and possible values.
! #jdk.net.includeInExceptions=hostInfo
--- 1062,1084 ----
+
+ #
+ # Enhanced exception message information
+ #
+ # By default, several exception messages do not include potentially sensitive
+ # information such as file names, host names, or port numbers. This property may
+ # be used to enable categories of enhanced information in exception messages.
+ # The property accepts one or more comma separated values, each of which
+ # represents a category of enhanced exception message information to enable.
+ # Values are case-insensitive. Leading and trailing whitespaces, surrounding
+ # each value, are ignored. Unknown values are ignored.
+ #
+ # The categories, to enable enhanced exception message information, are:
+ #
+ # hostInfo - IOExceptions thrown by java.net.Socket and also the socket types
+ # in the java.nio.channels package will contain enhanced exception
+ # message information
#
! # The property setting in this file can be overridden by a system property of
! # the same name, with the same syntax and possible values.
#
! #jdk.includeInExceptions=hostInfo
Full webrev:
http://cr.openjdk.java.net/~chegar/8207846/webrev.00/
-Chris.
P.S. It appears that jtreg does not support quoted system property values
with spaces on the @run line. I’ll file an issue against jtreg for this.
More information about the security-dev
mailing list