RFR: 8315487: Security Providers Filter [v23]

Martin Balao mbalao at openjdk.org
Thu May 8 20:50:17 UTC 2025 

> In addition to the goals, scope, motivation, specification and requirement notes in [JDK-8315487](https://bugs.openjdk.org/browse/JDK-8315487), we would like to describe the most relevant decisions taken during the implementation of this enhancement. These notes are organized by feature, may encompass more than one file or code segment, and are aimed to provide a high-level view of this PR.
> 
> ## ProvidersFilter
> 
> ### Filter construction (parser)
> 
> The providers filter is constructed from a string value, taken from either a system or a security property with name "jdk.security.providers.filter". This process occurs at sun.security.jca.ProvidersFilter class —simply referred as ProvidersFilter onward— static initialization. Thus, changes to the filter's overridable property are not effective afterwards and no assumptions should be made regarding when this class gets initialized.
> 
> The filter's string value is processed with a custom parser of order 'n', being 'n' the number of characters. The parser, represented by the ProvidersFilter.Parser class, can be characterized as a Deterministic Finite Automaton (DFA). The ProvidersFilter.Parser::parse method is the starting point to get characters from the filter's string value and generate state transitions in the parser's internal state-machine. See ProvidersFilter.Parser::nextState for more details about the parser's states and both valid and invalid transitions. The ParsingState enum defines valid parser states and Transition the reasons to move between states. If a filter string cannot be parsed, a ProvidersFilter.ParserException exception is thrown, and turned into an unchecked IllegalArgumentException in the ProvidersFilter.Filter constructor.
> 
> While we analyzed —and even tried, at early stages of the development— the use of regular expressions for filter parsing, we discarded the approach in order to get maximum performance, support a more advanced syntax and have flexibility for further extensions in the future.
> 
> ### Filter (structure and behavior)
> 
> A filter is represented by the ProvidersFilter.Filter class. It consists of an ordered list of rules, returned by the parser, that represents filter patterns from left to right (see the filter syntax for reference). At the end of this list, a match-all and deny rule is added for default behavior. When a service is evaluated against the filter, each filter rule is checked in the ProvidersFilter.Filter::apply method. The rule makes an allow or deny decision if the ser...

Martin Balao has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 1268 commits:

 - 8315487: Security Providers Filter
   
   Co-authored-by: Francisco Ferrari Bihurriet <fferrari at redhat.com>
   Co-authored-by: Martin Balao <mbalao at redhat.com>
 - 8356126: Duplication handling and optimization of CaptureCallState
   
   Reviewed-by: jvernee
 - 8332934: Do loop with continue with subsequent switch leads to incorrect stack maps
   
   Reviewed-by: vromero
 - 8354461: Update tests to disable streaming output for attach tools
   
   Reviewed-by: sspitsyn, cjplummer
 - 8351313: VM crashes when AOTMode/AOTCache/AOTConfiguration are empty
   
   Reviewed-by: ccheung, shade, kvn
 - 8356318: Unexpected VerifyError in AOT training run
   
   Reviewed-by: shade, kvn
 - 8356025: Provide a PrintVMInfoAtExit diagnostic switch
   
   Reviewed-by: mbaesken, jsikstro
 - 8347004: vmTestbase/metaspace/shrink_grow/ShrinkGrowTest/ShrinkGrowTest.java fails with CDS disabled
   
   Reviewed-by: coleenp
 - 8354443: [Graal] crash after deopt in TestG1BarrierGeneration.java
   
   Reviewed-by: dnsimon, yzheng
 - 8355775: Improve symbolic sharing in dynamic constant pool entries
   
   Reviewed-by: asotona
 - ... and 1258 more: https://git.openjdk.org/jdk/compare/8c09d40d...37d3f23a

-------------

Changes: https://git.openjdk.org/jdk/pull/15539/files
  Webrev: Webrev is not available because diff is too large
  Stats: 506323 lines in 6824 files changed: 190010 ins; 280150 del; 36163 mod
  Patch: https://git.openjdk.org/jdk/pull/15539.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/15539/head:pull/15539

PR: https://git.openjdk.org/jdk/pull/15539

More information about the security-dev mailing list