RFR: 8368692: Restrict Password::readPassword from reading from System.in [v2]
Weijun Wang
weijun at openjdk.org
Thu Jan 29 22:30:54 UTC 2026
On Thu, 29 Jan 2026 22:14:52 GMT, Naoto Sato <naoto at openjdk.org> wrote:
>> This is our usual pattern in `java.security`. By commenting out the line, the property read is null but internally treated as "true".
>
> I was under the impression that
>
> System.getProperty("jdk.security.password.allowSystemIn")
>
> would return `true`, as it reads "The default *value* is "true"".
Yes, you can understand this way, but if you look at other properties in `java.security`, you can see many of them commented out but the spec above describes a default. So when we say "default", it's not about the exact value returned by `getProperty` but how we treat this property even if it's not set anywhere.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/29490#discussion_r2743805594
More information about the security-dev
mailing list