On Fri, 30 May 2025 10:44:11 GMT, Michael McMahon <micha...@openjdk.org> wrote:
>> Hi, >> >> Enhanced exception messages are designed to hide sensitive information such >> as hostnames, IP >> addresses from exception message strings, unless the enhanced mode for the >> specific category >> has been explicitly enabled. Enhanced exceptions were first introduced in >> 8204233 in JDK 11 and >> updated in 8207846. >> >> This PR aims to increase the coverage of enhanced exception messages in the >> networking code. >> A limited number of exceptions are already hidden (restricted) by default. >> The new categories and >> exceptions in this PR will be restricted on an opt-in basis, ie. the default >> mode will be enhanced >> (while preserving the existing behavior). >> >> The mechanism is controlled by the security/system property >> "jdk.includeInExceptions" which takes as value >> a comma separated list of category names, which identify groups of >> exceptions where the exception >> message may be enhanced. Any category not listed is "restricted" which means >> that potentially >> sensitive information (such as hostnames, IP addresses, user identities) are >> excluded from the message text. >> >> The changes to the java.security conf file describe the exact changes in >> terms of the categories now >> supported and any changes in behavior. >> >> Thanks, >> Michael > > Michael McMahon has updated the pull request incrementally with one > additional commit since the last revision: > > Fixed problem with j.n.HostPortRange src/java.base/share/conf/security/java.security line 1282: > 1280: # Exception messages may include potentially sensitive information such > as file > 1281: # names, host names, or port numbers. By default, socket related > exceptions > 1282: # have this information restricted (meaning the sensitive details are > removed). I found the "By default ..." sentence a little confusing, since other categories are also restricted by default. My initial thought is to just remove this sentence, as reading further will make it more clear that the hostInfoExclSocket category is the only one that is not restricted by default. Alternatively, you could flip the meaning of this sentence and say which exceptions are **not** restricted by default. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/23929#discussion_r2115938656
