On Thu, 8 May 2025 20:50:17 GMT, Martin Balao <mba...@openjdk.org> wrote:
>> In addition to the goals, scope, motivation, specification and requirement >> notes in [JDK-8315487](https://bugs.openjdk.org/browse/JDK-8315487), we >> would like to describe the most relevant decisions taken during the >> implementation of this enhancement. These notes are organized by feature, >> may encompass more than one file or code segment, and are aimed to provide a >> high-level view of this PR. >> >> ## ProvidersFilter >> >> ### Filter construction (parser) >> >> The providers filter is constructed from a string value, taken from either a >> system or a security property with name "jdk.security.providers.filter". >> This process occurs at sun.security.jca.ProvidersFilter class —simply >> referred as ProvidersFilter onward— static initialization. Thus, changes to >> the filter's overridable property are not effective afterwards and no >> assumptions should be made regarding when this class gets initialized. >> >> The filter's string value is processed with a custom parser of order 'n', >> being 'n' the number of characters. The parser, represented by the >> ProvidersFilter.Parser class, can be characterized as a Deterministic Finite >> Automaton (DFA). The ProvidersFilter.Parser::parse method is the starting >> point to get characters from the filter's string value and generate state >> transitions in the parser's internal state-machine. See >> ProvidersFilter.Parser::nextState for more details about the parser's states >> and both valid and invalid transitions. The ParsingState enum defines valid >> parser states and Transition the reasons to move between states. If a filter >> string cannot be parsed, a ProvidersFilter.ParserException exception is >> thrown, and turned into an unchecked IllegalArgumentException in the >> ProvidersFilter.Filter constructor. >> >> While we analyzed —and even tried, at early stages of the development— the >> use of regular expressions for filter parsing, we discarded the approach in >> order to get maximum performance, support a more advanced syntax and have >> flexibility for further extensions in the future. >> >> ### Filter (structure and behavior) >> >> A filter is represented by the ProvidersFilter.Filter class. It consists of >> an ordered list of rules, returned by the parser, that represents filter >> patterns from left to right (see the filter syntax for reference). At the >> end of this list, a match-all and deny rule is added for default behavior. >> When a service is evaluated against the filter, each filter rule is checked >> in the ProvidersFilter.Filter::apply method. The rule makes an all... > > Martin Balao has updated the pull request with a new target base due to a > merge or a rebase. The pull request now contains 1268 commits: > > - 8315487: Security Providers Filter > > Co-authored-by: Francisco Ferrari Bihurriet <fferr...@redhat.com> > Co-authored-by: Martin Balao <mba...@redhat.com> > - 8356126: Duplication handling and optimization of CaptureCallState > > Reviewed-by: jvernee > - 8332934: Do loop with continue with subsequent switch leads to incorrect > stack maps > > Reviewed-by: vromero > - 8354461: Update tests to disable streaming output for attach tools > > Reviewed-by: sspitsyn, cjplummer > - 8351313: VM crashes when AOTMode/AOTCache/AOTConfiguration are empty > > Reviewed-by: ccheung, shade, kvn > - 8356318: Unexpected VerifyError in AOT training run > > Reviewed-by: shade, kvn > - 8356025: Provide a PrintVMInfoAtExit diagnostic switch > > Reviewed-by: mbaesken, jsikstro > - 8347004: > vmTestbase/metaspace/shrink_grow/ShrinkGrowTest/ShrinkGrowTest.java fails > with CDS disabled > > Reviewed-by: coleenp > - 8354443: [Graal] crash after deopt in TestG1BarrierGeneration.java > > Reviewed-by: dnsimon, yzheng > - 8355775: Improve symbolic sharing in dynamic constant pool entries > > Reviewed-by: asotona > - ... and 1258 more: https://git.openjdk.org/jdk/compare/8c09d40d...37d3f23a src/java.base/share/classes/java/security/AlgorithmParameterGenerator.java line 162: > 160: * {@link System#getProperty(String) System} and > 161: * {@link Security#getProperty(String) Security} properties determine > 162: * which services are enabled. A service that is not enabled by the In these and other APIs, I think it would be useful to link to `java.security.Provider.Service` when mentioning "services" since this is the first mention of that term in this API. src/java.base/share/classes/java/security/Security.java line 387: > 385: * algorithm and provider. Search is case-insensitive. > 386: */ > 387: private static Provider.Service findService(String type, String algo, You need to add a similar implementation note about the `jdk.security.providers.filter` property to the `getProviders(String)` method since it can affect what providers are returned. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/15539#discussion_r2132598600 PR Review Comment: https://git.openjdk.org/jdk/pull/15539#discussion_r2137858527
