> In addition to the goals, scope, motivation, specification and requirement
> notes in [JDK-8315487](https://bugs.openjdk.org/browse/JDK-8315487), we would
> like to describe the most relevant decisions taken during the implementation
> of this enhancement. These notes are organized by feature, may encompass more
> than one file or code segment, and are aimed to provide a high-level view of
> this PR.
>
> ## ProvidersFilter
>
> ### Filter construction (parser)
>
> The providers filter is constructed from a string value, taken from either a
> system or a security property with name "jdk.security.providers.filter". This
> process occurs at sun.security.jca.ProvidersFilter class —simply referred as
> ProvidersFilter onward— static initialization. Thus, changes to the filter's
> overridable property are not effective afterwards and no assumptions should
> be made regarding when this class gets initialized.
>
> The filter's string value is processed with a custom parser of order 'n',
> being 'n' the number of characters. The parser, represented by the
> ProvidersFilter.Parser class, can be characterized as a Deterministic Finite
> Automaton (DFA). The ProvidersFilter.Parser::parse method is the starting
> point to get characters from the filter's string value and generate state
> transitions in the parser's internal state-machine. See
> ProvidersFilter.Parser::nextState for more details about the parser's states
> and both valid and invalid transitions. The ParsingState enum defines valid
> parser states and Transition the reasons to move between states. If a filter
> string cannot be parsed, a ProvidersFilter.ParserException exception is
> thrown, and turned into an unchecked IllegalArgumentException in the
> ProvidersFilter.Filter constructor.
>
> While we analyzed —and even tried, at early stages of the development— the
> use of regular expressions for filter parsing, we discarded the approach in
> order to get maximum performance, support a more advanced syntax and have
> flexibility for further extensions in the future.
>
> ### Filter (structure and behavior)
>
> A filter is represented by the ProvidersFilter.Filter class. It consists of
> an ordered list of rules, returned by the parser, that represents filter
> patterns from left to right (see the filter syntax for reference). At the end
> of this list, a match-all and deny rule is added for default behavior. When a
> service is evaluated against the filter, each filter rule is checked in the
> ProvidersFilter.Filter::apply method. The rule makes an allow or deny
> decision if the ser...
Martin Balao has updated the pull request with a new target base due to a merge
or a rebase. The pull request now contains six commits:
- Merge JDK-8345139 into JDK-8315487
This way, we are syncing with the dependency of this PR.
Fix two minor conflicts in:
src/java.base/share/classes/java/security/Provider.java
- Add implementation notes to public APIs
Update public APIs documentation with implementation notes to reflect
the effect of the jdk.security.providers.filter Security and System
properties.
Co-authored-by: Martin Balao Alonso <[email protected]>
Co-authored-by: Francisco Ferrari Bihurriet <[email protected]>
- Merge JDK-8345139 into JDK-8315487
This way, we are syncing with the dependency of this PR.
Manually apply src/java.base/share/classes/java/security/Provider.java
changes, as a lot of context changed after JDK-8345139 updates.
- Copyright date update.
Co-authored-by: Martin Balao Alonso <[email protected]>
Co-authored-by: Francisco Ferrari Bihurriet <[email protected]>
- Add a debug message to inform the Filter property value read.
See more in
https://mail.openjdk.org/pipermail/security-dev/2024-October/041800.html
Co-authored-by: Martin Balao Alonso <[email protected]>
Co-authored-by: Francisco Ferrari Bihurriet <[email protected]>
- 8315487: Security Providers Filter
Co-authored-by: Francisco Ferrari Bihurriet <[email protected]>
Co-authored-by: Martin Balao <[email protected]>
-------------
Changes: https://git.openjdk.org/jdk/pull/15539/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=15539&range=21
Stats: 3752 lines in 43 files changed: 3337 ins; 89 del; 326 mod
Patch: https://git.openjdk.org/jdk/pull/15539.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/15539/head:pull/15539
PR: https://git.openjdk.org/jdk/pull/15539
