markt-asf commented on pull request #428: URL: https://github.com/apache/tomcat/pull/428#issuecomment-876355711
For defensive copies, I see several approaches: 1. GenericPrincipal always returns defensive copies 2. GenericPrincipal returns defensive copies if running under a SecurityManager 3. GenericPrincipal is documented to require that any attributes added to it are safe to expose to applications. Option one will create unnecessary copies in some scenarios but it should be impossible for a security sensitive internal object to be exposed to a potentially untrusted application. Option two may create some unnecessary copies but only when working with untrusted applications (on the assumption that anyone running an untrusted application should be using a SecurityManager). Option three allows any unnecessary copying (either because the objects are safe to share or because the application is trusted) to be avoided at the risk of it being possible to expose an internal object if the configuration/coding is incorrect. The other thing I like about option 3 is it enables the caller to figure out the best way to create any required defensive copy rather than trying to write a generic deep object clone solution in GenericPrincipal. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
