cklein05 commented on pull request #428: URL: https://github.com/apache/tomcat/pull/428#issuecomment-876456139
On defensive copies: For my understanding, defensive copies do not prevent exposing sensitive user information to (potentially untrusted) applications due to an inappropriate configuration. So, the Realm always needs to be configured carefully with regards to _keeping secrets secret_. That has not much to do with defensive copies. The only thing defensive copies could help is to prevent that an evil application is able to modify a cached attribute value (we've agreed on that attribute values should be immutable). However, in that case, GenericPrincipal cannot trust the caller and has to generically create these copies itself. I guess, the question is whether we rely on Java's understanding of _immutable_ objects (_position A_, e. g. String _is_ an immutable type so, no copy is needed) or whether we account for that that's not true with reflection (_position B_, e. g. a String can be changed inline with reflection or native code). With position A, we could at least save some copies for immutable types (according to Java's definition of _immutable_). After all, since we can expect that most applications don't request the Principal's attributes too frequently, we could easily go with option 1 and copy every object returned. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
