RFR: 8368692: Restrict Password::readPassword from reading from System.in [v2]
Naoto Sato
naoto at openjdk.org
Thu Jan 29 22:18:40 UTC 2026
On Thu, 29 Jan 2026 21:33:46 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> src/java.base/share/conf/security/java.security line 1729:
>>
>>> 1727: # environment variable or a file.
>>> 1728: #
>>> 1729: #jdk.security.password.allowSystemIn = true
>>
>> Should this be uncommented? Otherwise the default value is `null`
>
> This is our usual pattern in `java.security`. By commenting out the line, the property read is null but internally treated as "true".
I was under the impression that
System.getProperty("jdk.security.password.allowSystemIn")
would return `true`, as it reads "The default *value* is "true"".
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/29490#discussion_r2743773545
More information about the security-dev
mailing list