On Mon, 4 Nov 2024 19:46:07 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
>> Martin Balao has updated the pull request with a new target base due to a >> merge or a rebase. The pull request now contains eight commits: >> >> - Remove -Xdebug from commented-out debug command >> >> This is unnecessary, see 842d6329cf5a3da8df7eddb195b5fcb7baadbdc3. >> - Merge 'openjdk/master' into JDK-8315487 >> >> Resolved conflicts: >> src/java.base/share/classes/java/security/Provider.java >> src/java.base/share/classes/javax/crypto/Cipher.java >> src/java.base/share/classes/sun/security/jca/ProviderList.java >> src/java.base/share/conf/security/java.security >> >> src/java.security.jgss/share/classes/sun/security/jgss/wrapper/SunNativeProvider.java >> >> Additional fixes: >> src/java.base/share/classes/java/security/Security.java >> Import sun.security.jca.ProvidersFilter, since the sun.security.jca.* >> import was removed in c6f1d5f374bfa9bde75765391d5dae0e8e28b4ab. >> src/java.base/share/classes/sun/security/jca/GetInstance.java >> Adjust GetInstance::getCipherServices return type to >> Iterator<Service>. >> src/java.base/share/classes/sun/security/jca/ProvidersFilter.java >> Rename CipherServiceList to CipherServiceIterator in comment. >> - Minor changes to align with the JEP. >> >> Co-authored-by: Francisco Ferrari Bihurriet <fferr...@redhat.com> >> Co-authored-by: Martin Balao <mba...@redhat.com> >> - ProvidersFilterTest extended to cover all JCA service types. >> >> Co-authored-by: Francisco Ferrari Bihurriet <fferr...@redhat.com> >> Co-authored-by: Martin Balao <mba...@openjdk.org> >> - Support for cipher transformations and JEP alignment >> of the java.security documentation. >> >> Co-authored-by: Francisco Ferrari Bihurriet <fferr...@redhat.com> >> Co-authored-by: Martin Balao <mba...@redhat.com> >> - Copyright dates update. >> - More clear text in invalid pattern exception. >> - 8315487: Security Providers Filter >> >> Co-authored-by: Francisco Ferrari Bihurriet <fferr...@redhat.com> >> Co-authored-by: Martin Balao <mba...@redhat.com> > > This update is really too big to review in details. There are 5512 lines > changed, 4881 ins and 631 del per the webrev data. If I read the description > and code right, there are three types of update in this PR: > 1. bug fixes of the current OpenJDK code. > 2. A provider filter API design to check if a service is allowed in a certain > circumstances. > 3. A provider filter implementation in java.security to perform the service > checking. > > I may use multiple PR for this purpose: > 1. Multiple pull requests to fix bugs. > 2. Design a public API to check if a service is allowed and update the JDK > code accordingly. A public API design will allow third party to define their > own service restriction policy, without depends on the java.security. > 3. Implement the provider filter with java security property. > > The 1st and 2nd one should be small enough, straightforward to implementation > and easy to integrate. The 3rd one could big, but it will be an > implementation details, and it can even be optional. As would make it easy > to review and backport. > > Just for your reference. Hi @XueleiFan, Is not a goal of this proposal to allow different filter implementations, for this reason, there isn't a pluggable filter API design. The only publicly API exposed by the filter is the `jdk.security.providers.filter` security property, overridable through a system property with the same name. Any other APIs are for JCA internal use only. More details can be found in the [proposed JEP draft](https://openjdk.org/jeps/8325511). We agree that this pull request is too large to review, and for this reason @martinuy has created [JDK-8345139: Fix bugs and inconsistencies in the Provider services map](https://bugs.openjdk.org/browse/JDK-8345139) and [JDK-8345221: Replace legacy with new Provider APIs in SunNativeGSS](https://bugs.openjdk.org/browse/JDK-8345221). We already moved changes from this pull request to [JDK-8345221](https://bugs.openjdk.org/browse/JDK-8345221 "Replace legacy with new Provider APIs in SunNativeGSS") (#22461), and we'll be moving changes to [JDK-8345139](https://bugs.openjdk.org/browse/JDK-8345139 "Fix bugs and inconsistencies in the Provider services map") in the coming days. Unlike [JDK-8345221](https://bugs.openjdk.org/browse/JDK-8345221 "Replace legacy with new Provider APIs in SunNativeGSS"), [JDK-8345139](https://bugs.openjdk.org/browse/JDK-8345139 "Fix bugs and inconsistencies in the Provider services map") will be a dependency for this pull request. In order to minimize future conflicts, we'll wait for #15539 to be integrated. Then, we'll base [JDK-8345139](https://bugs.openjdk.org/browse/JDK-8345139 "Fix bugs and inconsistencies in the Provider services map") on HEAD code including it. ------------- PR Comment: https://git.openjdk.org/jdk/pull/15539#issuecomment-2508434358
