RFR: 8315487: Security Providers Filter [v23]

Sean Mullan mullan at openjdk.org
Tue Jun 10 13:09:36 UTC 2025 

On Thu, 8 May 2025 20:50:17 GMT, Martin Balao <mbalao at openjdk.org> wrote:

>> In addition to the goals, scope, motivation, specification and requirement notes in [JDK-8315487](https://bugs.openjdk.org/browse/JDK-8315487), we would like to describe the most relevant decisions taken during the implementation of this enhancement. These notes are organized by feature, may encompass more than one file or code segment, and are aimed to provide a high-level view of this PR.
>> 
>> ## ProvidersFilter
>> 
>> ### Filter construction (parser)
>> 
>> The providers filter is constructed from a string value, taken from either a system or a security property with name "jdk.security.providers.filter". This process occurs at sun.security.jca.ProvidersFilter class —simply referred as ProvidersFilter onward— static initialization. Thus, changes to the filter's overridable property are not effective afterwards and no assumptions should be made regarding when this class gets initialized.
>> 
>> The filter's string value is processed with a custom parser of order 'n', being 'n' the number of characters. The parser, represented by the ProvidersFilter.Parser class, can be characterized as a Deterministic Finite Automaton (DFA). The ProvidersFilter.Parser::parse method is the starting point to get characters from the filter's string value and generate state transitions in the parser's internal state-machine. See ProvidersFilter.Parser::nextState for more details about the parser's states and both valid and invalid transitions. The ParsingState enum defines valid parser states and Transition the reasons to move between states. If a filter string cannot be parsed, a ProvidersFilter.ParserException exception is thrown, and turned into an unchecked IllegalArgumentException in the ProvidersFilter.Filter constructor.
>> 
>> While we analyzed —and even tried, at early stages of the development— the use of regular expressions for filter parsing, we discarded the approach in order to get maximum performance, support a more advanced syntax and have flexibility for further extensions in the future.
>> 
>> ### Filter (structure and behavior)
>> 
>> A filter is represented by the ProvidersFilter.Filter class. It consists of an ordered list of rules, returned by the parser, that represents filter patterns from left to right (see the filter syntax for reference). At the end of this list, a match-all and deny rule is added for default behavior. When a service is evaluated against the filter, each filter rule is checked in the ProvidersFilter.Filter::apply method. The rule makes an all...
>
> Martin Balao has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 1268 commits:
> 
>  - 8315487: Security Providers Filter
>    
>    Co-authored-by: Francisco Ferrari Bihurriet <fferrari at redhat.com>
>    Co-authored-by: Martin Balao <mbalao at redhat.com>
>  - 8356126: Duplication handling and optimization of CaptureCallState
>    
>    Reviewed-by: jvernee
>  - 8332934: Do loop with continue with subsequent switch leads to incorrect stack maps
>    
>    Reviewed-by: vromero
>  - 8354461: Update tests to disable streaming output for attach tools
>    
>    Reviewed-by: sspitsyn, cjplummer
>  - 8351313: VM crashes when AOTMode/AOTCache/AOTConfiguration are empty
>    
>    Reviewed-by: ccheung, shade, kvn
>  - 8356318: Unexpected VerifyError in AOT training run
>    
>    Reviewed-by: shade, kvn
>  - 8356025: Provide a PrintVMInfoAtExit diagnostic switch
>    
>    Reviewed-by: mbaesken, jsikstro
>  - 8347004: vmTestbase/metaspace/shrink_grow/ShrinkGrowTest/ShrinkGrowTest.java fails with CDS disabled
>    
>    Reviewed-by: coleenp
>  - 8354443: [Graal] crash after deopt in TestG1BarrierGeneration.java
>    
>    Reviewed-by: dnsimon, yzheng
>  - 8355775: Improve symbolic sharing in dynamic constant pool entries
>    
>    Reviewed-by: asotona
>  - ... and 1258 more: https://git.openjdk.org/jdk/compare/8c09d40d...37d3f23a

src/java.base/share/classes/java/security/AlgorithmParameterGenerator.java line 162:

> 160:      * {@link System#getProperty(String) System} and
> 161:      * {@link Security#getProperty(String) Security} properties determine
> 162:      * which services are enabled. A service that is not enabled by the

In these and other APIs, I think it would be useful to link to `java.security.Provider.Service` when mentioning "services" since this is the first mention of that term in this API.

src/java.base/share/classes/java/security/Security.java line 387:

> 385:      * algorithm and provider. Search is case-insensitive.
> 386:      */
> 387:     private static Provider.Service findService(String type, String algo,

You need to add a similar implementation note about the `jdk.security.providers.filter` property to the `getProviders(String)` method since it can affect what providers are returned.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/15539#discussion_r2132598600
PR Review Comment: https://git.openjdk.org/jdk/pull/15539#discussion_r2137858527

More information about the security-dev mailing list