On Fri, 25 Apr 2025 14:26:43 GMT, Michael McMahon <micha...@openjdk.org> wrote:
>> Hi, >> >> Enhanced exception messages are designed to hide sensitive information such >> as hostnames, IP >> addresses from exception message strings, unless the enhanced mode for the >> specific category >> has been explicitly enabled. Enhanced exceptions were first introduced in >> 8204233 in JDK 11 and >> updated in 8207846. >> >> This PR aims to increase the coverage of enhanced exception messages in the >> networking code. >> A limited number of exceptions are already hidden (restricted) by default. >> The new categories and >> exceptions in this PR will be restricted on an opt-in basis, ie. the default >> mode will be enhanced >> (while preserving the existing behavior). >> >> The mechanism is controlled by the security/system property >> "jdk.includeInExceptions" which takes as value >> a comma separated list of category names, which identify groups of >> exceptions where the exception >> message may be enhanced. Any category not listed is "restricted" which means >> that potentially >> sensitive information (such as hostnames, IP addresses, user identities) are >> excluded from the message text. >> >> The changes to the java.security conf file describe the exact changes in >> terms of the categories now >> supported and any changes in behavior. >> >> Thanks, >> Michael > > Michael McMahon has updated the pull request with a new target base due to a > merge or a rebase. The pull request now contains 22 commits: > > - Merge branch 'master' into 8348986-exceptions > - Review update > - review update > - Merge branch 'master' into 8348986-exceptions > - update to minimise code changes > - Merge branch 'master' into 8348986-exceptions > - Merge branch 'master' into 8348986-exceptions > - Apply suggestions from code review > > from turbanoff review > > Co-authored-by: Andrey Turbanov <turban...@gmail.com> > - doc + copyright update > - remove file added by mistake > - ... and 12 more: https://git.openjdk.org/jdk/compare/5c067232...9401d4c8 src/java.base/share/conf/security/java.security line 1311: > 1309: # hostInfo - Special value which signifies the three categories above > combined > 1310: # (socket, addressLookup, net). This is provided for > compatibility > 1311: # with previous releases. Are you sure "socket", "addressLookup", and "net" categories are useful and needed? I would think someone configuring this is looking to keeping sensitive fields out of the exception messages without knowing exactly which APIs are used. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/23929#discussion_r2063849188
