RFR: 8148188: Enhance the security libraries to record events of interest

Sean Mullan sean.mullan at oracle.com
Wed Nov 14 13:06:05 UTC 2018


On 11/13/18 8:11 PM, Weijun Wang wrote:
> Confused. Aren't all Security properties security-related? This is not about normal system properties.

Although probably not that common, an application could create their own 
security properties, ex: Security.setProperty("security.myPassword", 
"abc123");

We want to avoid logging those. We just want to record changes to the 
JDK security properties.

> And the method name in the latest webrev is "isSecurityProperty" without the "JDK" word. I assume this means you don't care about the difference between SE properties and JDK properties.

Hmm, I was reviewing v7, and the name was changed in v8. I think 
isJdkSecurityProperty method is a better name.

--Sean

> 
> --Max
> 
>> On Nov 14, 2018, at 2:53 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>
>> * src/java.base/share/classes/java/security/Security.java
>>
>> The isJdkSecurityProperty method could return false positives, for example there may be a non-JDK property starting with "security.". I was thinking it would be better to put all the JDK property names in a HashSet which is populated by the static initialize() method, and only if event logging is enabled. Then setProperty can just check if the property name is in this set.
> 


More information about the security-dev mailing list