8200400: Restrict Sasl mechanisms

Sean Mullan sean.mullan at oracle.com
Thu May 9 18:42:48 UTC 2019


Looks good, but just a reminder to change system to security property in 
the javadoc per Joe's comment in the CSR.

--Sean

On 5/7/19 11:31 AM, Weijun Wang wrote:
> Updated webrev at
> 
>     http://cr.openjdk.java.net/~weijun/8200400/webrev.02/
> 
> The CSR at https://bugs.openjdk.java.net/browse/JDK-821433 is also updated.
> 
> I reuse the Logger name "javax.security.sasl" used by our SASL providers. The name looks high-level enough to be used here.
> 
> Thanks,
> Max
> 
> 
>> On May 7, 2019, at 2:06 AM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>
>> On 5/5/19 1:06 AM, Weijun Wang wrote:
>>> Please take a review at
>>>     https://cr.openjdk.java.net/~weijun/8200400/webrev.01/
>>
>> The java.security property description is not up-to-date with the CSR. Also, we don't support a system property override in the other jdk.*.disabled properties. So I don't think we should add that unless or until we see a need for it.
>>
>> In Sasl.java, can we log or add some debug information if a mechanism is disabled? Otherwise it can be hard to debug.
>>
>> --Sean
>>
>>> There is a CSR at
>>>     https://bugs.openjdk.java.net/browse/JDK-8214331
>>> Thanks,
>>> Max
> 


More information about the security-dev mailing list