On Fri, 1 Sep 2023 15:13:46 GMT, Martin Balao <mba...@openjdk.org> wrote:
> In addition to the goals, scope, motivation, specification and requirement > notes in [JDK-8315487](https://bugs.openjdk.org/browse/JDK-8315487), we would > like to describe the most relevant decisions taken during the implementation > of this enhancement. These notes are organized by feature, may encompass more > than one file or code segment, and are aimed to provide a high-level view of > this PR. > > ## ProvidersFilter > > ### Filter construction (parser) > > The providers filter is constructed from a string value, taken from either a > system or a security property with name "jdk.security.providers.filter". This > process occurs at sun.security.jca.ProvidersFilter class —simply referred as > ProvidersFilter onward— static initialization. Thus, changes to the filter's > overridable property are not effective afterwards and no assumptions should > be made regarding when this class gets initialized. > > The filter's string value is processed with a custom parser of order 'n', > being 'n' the number of characters. The parser, represented by the > ProvidersFilter.Parser class, can be characterized as a Deterministic Finite > Automaton (DFA). The ProvidersFilter.Parser::parse method is the starting > point to get characters from the filter's string value and generate state > transitions in the parser's internal state-machine. See > ProvidersFilter.Parser::nextState for more details about the parser's states > and both valid and invalid transitions. The ParsingState enum defines valid > parser states and Transition the reasons to move between states. If a filter > string cannot be parsed, a ProvidersFilter.ParserException exception is > thrown, and turned into an unchecked IllegalArgumentException in the > ProvidersFilter.Filter constructor. > > While we analyzed —and even tried, at early stages of the development— the > use of regular expressions for filter parsing, we discarded the approach in > order to get maximum performance, support a more advanced syntax and have > flexibility for further extensions in the future. > > ### Filter (structure and behavior) > > A filter is represented by the ProvidersFilter.Filter class. It consists of > an ordered list of rules, returned by the parser, that represents filter > patterns from left to right (see the filter syntax for reference). At the end > of this list, a match-all and deny rule is added for default behavior. When a > service is evaluated against the filter, each filter rule is checked in the > ProvidersFilter.Filter::apply method. The rule makes an allow or deny > decision if the ser... I wish we could keep this PR open. This is the latest comment in the ongoing discussion: https://mail.openjdk.org/pipermail/security-dev/2023-October/037479.html ------------- PR Comment: https://git.openjdk.org/jdk/pull/15539#issuecomment-1751120024
