zeroflag commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1045683325
########## gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java: ########## @@ -176,6 +172,6 @@ private Subject createSubjectFromToken(JWTToken token) { // To modify the Principals Set, the caller must have AuthPermission("modifyPrincipals"). // To modify the public credential Set, the caller must have AuthPermission("modifyPublicCredentials"). // To modify the private credential Set, the caller must have AuthPermission("modifyPrivateCredentials"). - return new javax.security.auth.Subject(true, principals, emptySet, emptySet); + return new javax.security.auth.Subject(true, principals, Collections.emptySet(), Collections.emptySet()); Review Comment: LGTM with one note. I'm not sure if it's a real problem, but since we're using `Collections.emptySet()` here, this means that adding a new principal after this point (e.g.: `subject.getPrincipals().add()`) to the subject might fail because the `Collection.emptySet()` is unmodifiable. Unlike the `new HashSet<>();`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org