RFR: 8148188: Enhance the security libraries to record events of interest

Sean Mullan sean.mullan at oracle.com
Wed Nov 14 13:06:05 UTC 2018

On 11/13/18 8:11 PM, Weijun Wang wrote:
> Confused. Aren't all Security properties security-related? This is not about normal system properties.

Although probably not that common, an application could create their own 
security properties, ex: Security.setProperty("security.myPassword", 

We want to avoid logging those. We just want to record changes to the 
JDK security properties.

> And the method name in the latest webrev is "isSecurityProperty" without the "JDK" word. I assume this means you don't care about the difference between SE properties and JDK properties.

Hmm, I was reviewing v7, and the name was changed in v8. I think 
isJdkSecurityProperty method is a better name.


> --Max
>> On Nov 14, 2018, at 2:53 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>> * src/java.base/share/classes/java/security/Security.java
>> The isJdkSecurityProperty method could return false positives, for example there may be a non-JDK property starting with "security.". I was thinking it would be better to put all the JDK property names in a HashSet which is populated by the static initialize() method, and only if event logging is enabled. Then setProperty can just check if the property name is in this set.

More information about the security-dev mailing list