[prev in list] [next in list] [prev in thread] [next in thread]
List: openjdk-security-dev
Subject: Re: RFR: 8315487: Security Providers Filter [v7]
From: Martin Balao <mbalao () openjdk ! org>
Date: 2024-01-31 4:18:04
Message-ID: 9gWirtGicGY_QrkTssxaig7ITLedj4eoJjffr3CTMOE=.fc6c0cb6-f030-4cfd-bf4f-9b25b7b8d19e () github ! com
[Download RAW message or body]
> In addition to the goals, scope, motivation, specification and requirement notes in \
> [JDK-8315487](https://bugs.openjdk.org/browse/JDK-8315487), we would like to \
> describe the most relevant decisions taken during the implementation of this \
> enhancement. These notes are organized by feature, may encompass more than one file \
> or code segment, and are aimed to provide a high-level view of this PR.
> ## ProvidersFilter
>
> ### Filter construction (parser)
>
> The providers filter is constructed from a string value, taken from either a system \
> or a security property with name "jdk.security.providers.filter". This process \
> occurs at sun.security.jca.ProvidersFilter class —simply referred as \
> ProvidersFilter onward— static initialization. Thus, changes to the filter's \
> overridable property are not effective afterwards and no assumptions should be made \
> regarding when this class gets initialized.
> The filter's string value is processed with a custom parser of order 'n', being 'n' \
> the number of characters. The parser, represented by the ProvidersFilter.Parser \
> class, can be characterized as a Deterministic Finite Automaton (DFA). The \
> ProvidersFilter.Parser::parse method is the starting point to get characters from \
> the filter's string value and generate state transitions in the parser's internal \
> state-machine. See ProvidersFilter.Parser::nextState for more details about the \
> parser's states and both valid and invalid transitions. The ParsingState enum \
> defines valid parser states and Transition the reasons to move between states. If a \
> filter string cannot be parsed, a ProvidersFilter.ParserException exception is \
> thrown, and turned into an unchecked IllegalArgumentException in the \
> ProvidersFilter.Filter constructor.
> While we analyzed —and even tried, at early stages of the development— the use \
> of regular expressions for filter parsing, we discarded the approach in order to \
> get maximum performance, support a more advanced syntax and have flexibility for \
> further extensions in the future.
> ### Filter (structure and behavior)
>
> A filter is represented by the ProvidersFilter.Filter class. It consists of an \
> ordered list of rules, returned by the parser, that represents filter patterns from \
> left to right (see the filter syntax for reference). At the end of this list, a \
> match-all and deny rule is added for default behavior. When a service is evaluated \
> against the filter, each filter rule is checked in the \
> ProvidersFilter.Filter::apply method. The rule makes an allow or deny decision if \
> the ser...
Martin Balao has updated the pull request incrementally with one additional commit \
since the last revision:
ProvidersFilterTest extended to cover all JCA service types.
Co-authored-by: Francisco Ferrari Bihurriet <fferrari@redhat.com>
Co-authored-by: Martin Balao <mbalao@openjdk.org>
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/15539/files
- new: https://git.openjdk.org/jdk/pull/15539/files/f015ba87..b231a75d
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=15539&range=06
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=15539&range=05-06
Stats: 224 lines in 2 files changed: 200 ins; 1 del; 23 mod
Patch: https://git.openjdk.org/jdk/pull/15539.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/15539/head:pull/15539
PR: https://git.openjdk.org/jdk/pull/15539
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic