Hi, The API documentation makes the point that if there is a security manager installed which denies access to some entries amongst the visited files and directories then those entries are silently skipped, their presence not being disclosed by the walk terminating early due to an access denied exception. This is reasonable and follows the principle that information about privileged information is also privileged information. However Files::walk doesn’t follow that principle consistently. There’s no mention of the java.nio.file.attribute package or the AclEntryPermission enum, for example. It is not clear to me if, as an extreme example, the presence of an ACL on a file which denies read access to the file’s ACL (READ_ACL) would be leaked by Files::walk.
What Files::walk could do is support all access control mechanisms in the JDK in equal measure. As is it is, currently it is only those protected files that are unknown to the security manager and unknowable to Java that are being revealed to unprivileged users. This seems like the exact opposite of how it should be. -- Have a nice day, Timo Sent from Mail for Windows 10 From: Andrew Haley
