RFR: 8148188: Enhance the security libraries to record events of interest
Sean Mullan
sean.mullan at oracle.com
Wed Nov 14 13:06:05 UTC 2018
On 11/13/18 8:11 PM, Weijun Wang wrote:
> Confused. Aren't all Security properties security-related? This is not about normal system properties.
Although probably not that common, an application could create their own
security properties, ex: Security.setProperty("security.myPassword",
"abc123");
We want to avoid logging those. We just want to record changes to the
JDK security properties.
> And the method name in the latest webrev is "isSecurityProperty" without the "JDK" word. I assume this means you don't care about the difference between SE properties and JDK properties.
Hmm, I was reviewing v7, and the name was changed in v8. I think
isJdkSecurityProperty method is a better name.
--Sean
>
> --Max
>
>> On Nov 14, 2018, at 2:53 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>
>> * src/java.base/share/classes/java/security/Security.java
>>
>> The isJdkSecurityProperty method could return false positives, for example there may be a non-JDK property starting with "security.". I was thinking it would be better to put all the JDK property names in a HashSet which is populated by the static initialize() method, and only if event logging is enabled. Then setProperty can just check if the property name is in this set.
>
More information about the security-dev
mailing list