Ensure Security class is loaded when checking FIPS mode#23490
Ensure Security class is loaded when checking FIPS mode#23490dev-koan wants to merge 1 commit intoeclipse-openj9:masterfrom
Conversation
|
The feature is tested in PR => ibmruntimes/openj9-openjdk-jdk#1185 |
|
@jasonkatonica I thought we were going to use a Security property rather than a System property. |
|
After talking more yesterday at our team meeting we want to support a System property, not a Security property. This property wont be a direct value that is typically in a java.security file and available through the Security class. We also want applications who have coded to this behavior in IBM Java 8 ( and Semeru ) to not be required to make changes in this area. Sure this property does not always work today given the classloading race condition here however further discussion flushed out that we really want to support this as a System property if possible. |
|
We would like to support our existing documented behavior in section |
That documentation doesn't specifically say how to acquire the system property value. As is, this doesn't guarantee that |
Yes very true likely additional work would be needed for this corner case to ensure we reference the |
dev-koan
force-pushed
the
feature/SystemFIPSModeCheck
branch
from
d1a14bd to
d3d78de
Compare
|
The commit message and the description here need not mention |
dev-koan
force-pushed
the
feature/SystemFIPSModeCheck
branch
from
d3d78de to
8314680
Compare
dev-koan
changed the title
|
The commit message says this forces "initialization of Security providers"; that is no longer true. Please update accordingly. This still doesn't address my earlier concern: #23490 (comment). Unless that is fixed (in a reasonable way), I think we should instead advise users to use |
Initialize security class when accessing com.ibm.fips.mode property or obtaining all the properties using the method getProperties. Signed-off-by: Dev Agarwal <[email protected]>
dev-koan
force-pushed
the
feature/SystemFIPSModeCheck
branch
from
8314680 to
3c675e1
Compare
dev-koan
changed the title
The commit has been updated. |
| security.checkPropertiesAccess(); | ||
| } | ||
| /*[ENDIF] JAVA_SPEC_VERSION < 24 */ | ||
| J9VMInternals.initialize(Security.class); |
There was a problem hiding this comment.
The change below to getProperty(String, String) will only trigger loading Security if the property of interest is "com.ibm.fips.mode"; while this has the potential to affect startup performance for every application, including those that don't use Security. I'm having difficulty accepting that instead of changing our advice for querying the FIPS mode via a system property to using Security.getProperty("com.ibm.fips.mode").
@pshipton What do you think?
There was a problem hiding this comment.
It's not ideal and using a Security property would be better, but I doubt the change in startup time would be measurable. If this is what we need to do for compatibility, so be it.
4 participants
Initialize security class when accessing com.ibm.fips.mode property or obtaining all the properties using the method getProperties.
Signed-off-by: Dev Agarwal [email protected]