Fwd: RFR 7191662: JCE providers should be located via ServiceLoader

Sean Mullan sean.mullan at oracle.com
Wed May 27 23:06:41 UTC 2015


On 05/27/2015 07:05 PM, Sean Mullan wrote:
> On 05/27/2015 06:35 PM, Valerie Peng wrote:
>> In addition, I changed the getArgument() impl in OracleUcrypto provider
>> + SunPKCS11 provider to only return the value if the caller has read
>> permission to the file. I feel this is probably safer as we don't want
>> to reveal the path (potential info leak) to untrusted callers. If the
>> callers don't have the right permission, then "" is returned. If you
>> prefer SecurityException be thrown, please let me know.
>
> Better yet, maybe we don't need the getArgument method. The argument is
> really only needed for Provider implementations, which get it via the
> constructor.

I mean via the configure method ...

--Sean

> This way we can just have the constructor and not expose
> potentially sensitive info through a public method.
>
> --Sean


More information about the security-dev mailing list