Hi Sean,
I only just read this email, thanks, it allows us to start investigating
a new authorization layer.
Regards,
Peter.
On 21/04/2022 1:01 am, Sean Mullan wrote:
On 4/15/22 10:46 PM, Peter Firmstone wrote:
To securely instrument access controls onto public Java API, we need to
have the ability to disable finalizers, to prevent finalizer attacks
from circumventing access controls.
Since finalizers are planned for removal, as soon as finalizers are
officially deprecated, I propose a command line flag be provided to
disable jvm calls to finalizer methods.
This is already supported. JEP 421 added a "--finalization=disabled"
option to JDK 18:
https://openjdk.java.net/jeps/421#Command-line-option-to-disable-finalization
--Sean
