RFR: 8242565: Policy initialization issues when the denyAfter constraint is enabled
Sean Mullan
sean.mullan at oracle.com
Thu Apr 16 12:54:00 UTC 2020
On 4/15/20 9:58 PM, Weijun Wang wrote:
>>>>> Parsing of the denyAfter constraint is required to verify the signed JAR, which happens very early. This causes SL to search for a LocaleProvider to parse the denyAfter date field which triggers a permission check, causes the policy machinery to bootstrap, and which triggers further permission checks, etc.
>> Do we really need a LocaleProvider here? Or, is the grammar really locale-dependent? This does not look user-friendly to me.
> Just take a look. The grammar is simple but we use SimpleDateFormat for debugging messages and Calendar to validate the input.
>
> Maybe we can use
>
> LocalDateTime.of(year, month, day, 0, 0).atOffset(ZoneOffset.UTC).toInstant()
>
> to load the date. It takes care of validation and very easy to compare to Instant.now().
Good points. SimpleDateFormat definitely looks like additional overhead
that can be avoided. And using LocalDateTime looks like it also might work.
I would like to handle this separately though, so I will file a separate
issue.
> I don't have any other comment on the code change.
Great, thanks for reviewing.
--Sean
More information about the security-dev
mailing list