RFR: 8301260: Add system property to toggle XML Signature secure validation mode

Sean Mullan mullan at openjdk.org
Thu Feb 2 17:38:26 UTC 2023


On Thu, 2 Feb 2023 16:56:26 GMT, Sean Coffey <coffeys at openjdk.org> wrote:

>> This change adds a system property that can be used to enable/disable the XML Signature secure validation mode. This is useful for enabling/disabling the mode at runtime. The system property will supersede and have the same name as the XMLCryptoContext property that can be used to enable/disable the mode: "org.jcp.xml.dsig.secureValidation".
>
> src/java.base/share/conf/security/java.security line 953:
> 
>> 951: # "false". Any other value for the system property is also treated as "false".
>> 952: # If the system property is set, it supersedes the XMLCryptoContext property
>> 953: # value.
> 
> is is necessary to state (hint) that the system property is read once at class load time ?

I think you are touching on an issue that is poorly documented across many system properties, so I'm reluctant to add something here which might lead to questions about other properties. I've always felt that unless otherwise specified, you should assume a system property is only read once.

-------------

PR: https://git.openjdk.org/jdk/pull/12365



More information about the security-dev mailing list