Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v4]
On Tue, 23 Apr 2024 18:57:44 GMT, Sean Mullan wrote: > A few other comments/questions: > > Does this need a CSR since you are adding new property files? Not sure it does, but Joe will follow up with Joe Darcy > > Are there any tests to ensure the property files are working correctly? There are tests that Joe added as part of the JDK 22 work for custom config files > > Also, how does one try out these property files? Is there a system property > that needs to be set? Can you add more details to the RN on that? java -Djava.xml.config.file=$JAVA_HOME/conf/jaxp-compat.properties The property was added in JDK 22 see: https://docs.oracle.com/en/java/javase/22/docs/api/java.xml/module-summary.html#Conf_CF_SP - PR Comment: https://git.openjdk.org/jdk/pull/18831#issuecomment-2073248701
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v4]
On Fri, 19 Apr 2024 21:55:09 GMT, Joe Wang wrote: >> Add two sample configuration files: >> >> jaxp-strict.properties: used to set strict configuration, stricter than >> jaxp.properties in previous versions such as JDK 22 >> >> jaxp-compat.properties: used to regain compatibility from any more >> restricted configuration than previous versions such as JDK 22 > > Joe Wang has updated the pull request incrementally with one additional > commit since the last revision: > > changes description of jaxp-compat and jaxp-strict after discussing with > Lance Marked as reviewed by lancea (Reviewer). - PR Review: https://git.openjdk.org/jdk/pull/18831#pullrequestreview-2018094529
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v4]
On Fri, 19 Apr 2024 21:55:09 GMT, Joe Wang wrote: >> Add two sample configuration files: >> >> jaxp-strict.properties: used to set strict configuration, stricter than >> jaxp.properties in previous versions such as JDK 22 >> >> jaxp-compat.properties: used to regain compatibility from any more >> restricted configuration than previous versions such as JDK 22 > > Joe Wang has updated the pull request incrementally with one additional > commit since the last revision: > > changes description of jaxp-compat and jaxp-strict after discussing with > Lance A few other comments/questions: Does this need a CSR since you are adding new property files? Are there any tests to ensure the property files are working correctly? Also, how does one try out these property files? Is there a system property that needs to be set? Can you add more details to the RN on that? - PR Comment: https://git.openjdk.org/jdk/pull/18831#issuecomment-2073203196
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v4]
On Fri, 19 Apr 2024 21:55:09 GMT, Joe Wang wrote: >> Add two sample configuration files: >> >> jaxp-strict.properties: used to set strict configuration, stricter than >> jaxp.properties in previous versions such as JDK 22 >> >> jaxp-compat.properties: used to regain compatibility from any more >> restricted configuration than previous versions such as JDK 22 > > Joe Wang has updated the pull request incrementally with one additional > commit since the last revision: > > changes description of jaxp-compat and jaxp-strict after discussing with > Lance It might just be me, but the word "sample" is too related to programming examples that it makes this feel like something that users may not take seriously. But I think this is something that you really want users to take seriously and try out. Perhaps just drop the word "sample"? - PR Comment: https://git.openjdk.org/jdk/pull/18831#issuecomment-2073191426
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v3]
On Fri, 19 Apr 2024 20:45:36 GMT, Lance Andersen wrote: >> Joe Wang has updated the pull request incrementally with one additional >> commit since the last revision: >> >> fix typo > > src/java.xml/share/conf/jaxp-compat.properties line 20: > >> 18: # JDK has switched to a strict configuration as indicated in >> jaxp-strict.properties. >> 19: # This configuration contains the same properties as those in >> jaxp-strict.properties >> 20: # except it sets them back to the current status of the JDK. Note that, >> although > > 'sets them back to the current status of the JDK' > > I think you are trying to indicate that this property file specifies the JAXP > property values that were in place prior to being More Secure? Thanks Lance for the offline discussion. Updated the description. - PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1573002287
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v4]
> Add two sample configuration files: > > jaxp-strict.properties: used to set strict configuration, stricter than > jaxp.properties in previous versions such as JDK 22 > > jaxp-compat.properties: used to regain compatibility from any more > restricted configuration than previous versions such as JDK 22 Joe Wang has updated the pull request incrementally with one additional commit since the last revision: changes description of jaxp-compat and jaxp-strict after discussing with Lance - Changes: - all: https://git.openjdk.org/jdk/pull/18831/files - new: https://git.openjdk.org/jdk/pull/18831/files/e6386015..019c2aee Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=18831&range=03 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=18831&range=02-03 Stats: 28 lines in 2 files changed: 2 ins; 4 del; 22 mod Patch: https://git.openjdk.org/jdk/pull/18831.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/18831/head:pull/18831 PR: https://git.openjdk.org/jdk/pull/18831
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v3]
On Fri, 19 Apr 2024 17:39:30 GMT, Joe Wang wrote: >> Add two sample configuration files: >> >> jaxp-strict.properties: used to set strict configuration, stricter than >> jaxp.properties in previous versions such as JDK 22 >> >> jaxp-compat.properties: used to regain compatibility from any more >> restricted configuration than previous versions such as JDK 22 > > Joe Wang has updated the pull request incrementally with one additional > commit since the last revision: > > fix typo src/java.xml/share/conf/jaxp-compat.properties line 12: > 10: # > 11: # jaxp-strict.properties: this file resembles what will become the > Secure-By-Default > 12: # configuration where a strict restriction is the default. This file > allows strict restriction needs rewording. Perhaps something that indicates that this property file provides settings that will be equivalent to that will be the default JAXP settings in a future release to make the use of JAXP more secure out of the box src/java.xml/share/conf/jaxp-compat.properties line 20: > 18: # JDK has switched to a strict configuration as indicated in > jaxp-strict.properties. > 19: # This configuration contains the same properties as those in > jaxp-strict.properties > 20: # except it sets them back to the current status of the JDK. Note that, > although 'sets them back to the current status of the JDK' I think you are trying to indicate that this property file specifies the JAXP property values that were in place prior to being More Secure? - PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1572927195 PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1572940722
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v2]
On Thu, 18 Apr 2024 23:40:22 GMT, Naoto Sato wrote: >> Joe Wang has updated the pull request incrementally with one additional >> commit since the last revision: >> >> add description of the three configuration files. > > src/java.xml/share/conf/jaxp-strict.properties line 2: > >> 1: >> >> 2: # JAXP String Configuration File > > Nit: typo here: String -> Strict Thanks! Fixed. - PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1572705283
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v3]
> Add two sample configuration files: > > jaxp-strict.properties: used to set strict configuration, stricter than > jaxp.properties in previous versions such as JDK 22 > > jaxp-compat.properties: used to regain compatibility from any more > restricted configuration than previous versions such as JDK 22 Joe Wang has updated the pull request incrementally with one additional commit since the last revision: fix typo - Changes: - all: https://git.openjdk.org/jdk/pull/18831/files - new: https://git.openjdk.org/jdk/pull/18831/files/98fcc3ef..e6386015 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=18831&range=02 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=18831&range=01-02 Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod Patch: https://git.openjdk.org/jdk/pull/18831.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/18831/head:pull/18831 PR: https://git.openjdk.org/jdk/pull/18831
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v2]
On Thu, 18 Apr 2024 21:54:26 GMT, Joe Wang wrote: >> Add two sample configuration files: >> >> jaxp-strict.properties: used to set strict configuration, stricter than >> jaxp.properties in previous versions such as JDK 22 >> >> jaxp-compat.properties: used to regain compatibility from any more >> restricted configuration than previous versions such as JDK 22 > > Joe Wang has updated the pull request incrementally with one additional > commit since the last revision: > > add description of the three configuration files. src/java.xml/share/conf/jaxp-strict.properties line 2: > 1: > > 2: # JAXP String Configuration File Nit: typo here: String -> Strict - PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1571515112
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration
On Wed, 17 Apr 2024 23:24:06 GMT, Joe Wang wrote: > Add two sample configuration files: > > jaxp-strict.properties: used to set strict configuration, stricter than > jaxp.properties in previous versions such as JDK 22 > > jaxp-compat.properties: used to regain compatibility from any more > restricted configuration than previous versions such as JDK 22 Thanks Alan, Lance! I added description of the three config files to both files so that readers can find answers reading any one of them. Also added a release note: https://bugs.openjdk.org/browse/JDK-8330605 - PR Comment: https://git.openjdk.org/jdk/pull/18831#issuecomment-2065384541
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v2]
> Add two sample configuration files: > > jaxp-strict.properties: used to set strict configuration, stricter than > jaxp.properties in previous versions such as JDK 22 > > jaxp-compat.properties: used to regain compatibility from any more > restricted configuration than previous versions such as JDK 22 Joe Wang has updated the pull request incrementally with one additional commit since the last revision: add description of the three configuration files. - Changes: - all: https://git.openjdk.org/jdk/pull/18831/files - new: https://git.openjdk.org/jdk/pull/18831/files/e36e5fd4..98fcc3ef Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=18831&range=01 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=18831&range=00-01 Stats: 44 lines in 2 files changed: 38 ins; 0 del; 6 mod Patch: https://git.openjdk.org/jdk/pull/18831.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/18831/head:pull/18831 PR: https://git.openjdk.org/jdk/pull/18831
Re: RFR: 8330542: Add two sample configuration files
On Wed, 17 Apr 2024 23:24:06 GMT, Joe Wang wrote: > Add two sample configuration files: > > jaxp-strict.properties: used to set strict configuration, stricter than > jaxp.properties in previous versions such as JDK 22 > > jaxp-compat.properties: used to regain compatibility from any more > restricted configuration than previous versions such as JDK 22 Hi Joe, Overall this looks fine though we need to clarify more as to the differences between jaxp-compat.properties vs jaxp.properties and also make it clearer why anyone would use jaxp.strict.properties As part of the review, I would suggest that a Release Note is created which will hopefully clarify when to use which file. Also when we actually change the defaults in a JDK release to be the equivalent of jaxp-strict.properties, that this file can be removed? If so this should be documented in the Release Note and perhaps a comment in the properties file itself src/java.xml/share/conf/jaxp-compat.properties line 10: > 8: # configuration, properties that have more restrictive settings as in the > 9: # strict configuration (jaxp-strict.properties) are reversed back to their > 10: # defaults. In particular: I think the above needs some more word smithing as we have not articulated what a strict configuration is or how this differs from jaxp.properties src/java.xml/share/conf/jaxp-compat.properties line 16: > 14: # > 15: # This configuration file can be used to reverse back to a working > environment > 16: # prior to any more restrictive configuration that may have been applied. How does this differ from jaxp.properties for JDK 23? I can understand for when we move to secure by default, we just need to be clear on the purpose of each jaxp properties files - PR Review: https://git.openjdk.org/jdk/pull/18831#pullrequestreview-2009160577 PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1570932404 PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1570934511
Re: RFR: 8330542: Add two sample configuration files
On Wed, 17 Apr 2024 23:24:06 GMT, Joe Wang wrote: > Add two sample configuration files: > > jaxp-strict.properties: used to set strict configuration, stricter than > jaxp.properties in previous versions such as JDK 22 > > jaxp-compat.properties: used to regain compatibility from any more > restricted configuration than previous versions such as JDK 22 Just some context here. The JDK has been on a path for many releases to make XML processing more secure by default. At some point there will be a proposal/JEP to flip the switch, something that may create an upgrade challenge for some applications and deployments that haven't embraced the various security features and configuration added over the last 10+ years. The addition of conf/jaxp-strict.properties allows deployments to test more the secure/strict behavior in preparation for a possible future where strict is the default. As examples: trying this out may help identify processing XML that (perhaps unknowingly) makes outbound network connections to fetch DTD, or processing XML that relies on extension functions. So I think very useful to have this configuration available in a shipping JDK but it may need a write-up/JEP before anyone knows about this. - PR Comment: https://git.openjdk.org/jdk/pull/18831#issuecomment-2063474370
RFR: 8330542: Add two sample configuration files
Add two sample configuration files: jaxp-strict.properties: used to set strict configuration, stricter than jaxp.properties in previous versions such as JDK 22 jaxp-compat.properties: used to regain compatibility from any more restricted configuration than previous versions such as JDK 22 - Commit messages: - fix whitespace - 8330542: Add two sample configuration files Changes: https://git.openjdk.org/jdk/pull/18831/files Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=18831&range=00 Issue: https://bugs.openjdk.org/browse/JDK-8330542 Stats: 229 lines in 2 files changed: 229 ins; 0 del; 0 mod Patch: https://git.openjdk.org/jdk/pull/18831.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/18831/head:pull/18831 PR: https://git.openjdk.org/jdk/pull/18831