Fwd: RFR 7191662: JCE providers should be located via ServiceLoader

Valerie Peng valerie.peng at oracle.com
Thu May 28 01:47:30 UTC 2015


Sounds good to me.
I suppose we can add it later if really needed.
I will update the webrev and CCC.
Thanks,
Valerie

On 5/27/2015 4:05 PM, Sean Mullan wrote:
> On 05/27/2015 06:35 PM, Valerie Peng wrote:
>> In addition, I changed the getArgument() impl in OracleUcrypto provider
>> + SunPKCS11 provider to only return the value if the caller has read
>> permission to the file. I feel this is probably safer as we don't want
>> to reveal the path (potential info leak) to untrusted callers. If the
>> callers don't have the right permission, then "" is returned. If you
>> prefer SecurityException be thrown, please let me know.
>
> Better yet, maybe we don't need the getArgument method. The argument 
> is really only needed for Provider implementations, which get it via 
> the constructor. This way we can just have the constructor and not 
> expose potentially sensitive info through a public method.
>
> --Sean


More information about the security-dev mailing list