Re: RFR: 8290368: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation [v5]

Fri, 14 Oct 2022 10:42:52 -0700 

On Fri, 14 Oct 2022 16:35:28 GMT, Daniel Fuchs <dfu...@openjdk.org> wrote:

>> Aleksei Efimov has updated the pull request with a new target base due to a 
>> merge or a rebase. The incremental webrev excludes the unrelated changes 
>> brought in by the merge/rebase. The pull request contains ten additional 
>> commits since the last revision:
>> 
>>  - Merge branch 'master' into JDK-8290368_protocol_specific_factory_filters
>>  - Remove factory builder synchronization from NamingManager. Update 
>> comments/docs.
>>  - Change checkInput to be the global filter centric
>>  - Refactor checkInput, better reporting for invalid filter patterns
>>  - Merge branch 'master' into JDK-8290368_protocol_specific_factory_filters
>>  - Additional comments/formatting cleanup.
>>  - More tests clean-up. Code/doc comments cleanup.
>>  - Cleanup test comments. Add tests to check that LDAP/RMI filters do not 
>> intersect.
>>  - 8290368: Introduce LDAP and RMI protocol-specific object factory filters 
>> to JNDI implementation
>
> src/java.base/share/conf/security/java.security line 1388:
> 
>> 1386: # are unused.
>> 1387: #
>> 1388: # Each class name pattern is matched against the factory class name to 
>> allow or disallow its
> 
> It appears that for those protocols for which there is no specific filter, a 
> factory class will be accepted only if the global filter returns ALLOWED - 
> which contradicts what is written here (where it says that the class is 
> allowed if it's not REJECTED). Is this something that has changed with this 
> fix - or was the documentation wrong before?

Very good catch Daniel! It is with this fix and I believe the code needs to be 
change to match what is written for the global filter here:
What we've had before in `checkInput`:

    private static boolean checkInput(FactoryInfo factoryInfo) {
        Status result = GLOBAL.checkInput(factoryInfo);
        return result != Status.REJECTED;

What we have now:

        if (filter == GLOBAL_FILTER) {
            return globalResult == Status.ALLOWED;
        }


I think it needs to be changed to (to match the description for global filter):

        if (filter == GLOBAL_FILTER) {
            return globalResult != Status.REJECTED;
        }

-------------

PR: https://git.openjdk.org/jdk/pull/10578

Reply via email to