Allow multiple constraints for each algorithm

KostasTsiounis · KostasTsiounis · commit dfe0b43a67cd · 2025-02-28T13:15:34.000-05:00
If a constraint for an algorithm is found and the attributes
don't match or the class attempting to utilize it doesn't
match the accepted uses, the algorithm is considered not allowed
and loading it does not succeed.

Instead, we want to check all available constraints for an
algorithm before deciding if it is allowed to be used or not.

Signed-off-by: Kostas Tsiounis &lt;kostas.tsiounis@ibm.com&gt;
diff --git a/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java b/closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurity.java
@@ -836,7 +836,8 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {
                                     + "\nagainst the service attribute value: " + sValue);
                         }
                         if ((sValue == null) || !cValue.equalsIgnoreCase(sValue)) {
-                            // If any attribute doesn't match, return service is not allowed.
+                            // If any of the attributes doesn't match,
+                            // then this constraint doesn't match so move on.
                             if (debug != null) {
                                 debug.println("Attributes don't match!");
                                 debug.println("The following service:"
@@ -845,7 +846,7 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {
                                             + "\n\tAttribute: " + cAttribute
                                             + "\nis NOT allowed in provider: " + providerClassName);
                             }
-                            return false;
+                            continue;
                         }
                         if (debug != null) {
                             debug.println("Attributes match!");
@@ -903,7 +904,7 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {
                     }
 
                     // If nothing matching the accepted uses is found in the call stack,
-                    // this service is not allowed.
+                    // then this constraint doesn't match so move on.
                     if (!found) {
                         if (debug != null) {
                             debug.println("Classes in call stack are not part of accepted uses!");
@@ -914,7 +915,7 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {
                                         + "\n\tAccepted uses: " + cAcceptedUses
                                         + "\nis NOT allowed in provider: " + providerClassName);
                         }
-                        return false;
+                        continue;
                     }
                 }
 

Original file line number	Diff line number	Diff line change
`@@ -836,7 +836,8 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {`
`836`	`836`	`+ "\nagainst the service attribute value: " + sValue);`
`837`	`837`	`}`
`838`	`838`	`if ((sValue == null) \|\| !cValue.equalsIgnoreCase(sValue)) {`
`839`		`- // If any attribute doesn't match, return service is not allowed.`
	`839`	`+ // If any of the attributes doesn't match,`
	`840`	`+ // then this constraint doesn't match so move on.`
`840`	`841`	`if (debug != null) {`
`841`	`842`	`debug.println("Attributes don't match!");`
`842`	`843`	`debug.println("The following service:"`
`@@ -845,7 +846,7 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {`
`845`	`846`	`+ "\n\tAttribute: " + cAttribute`
`846`	`847`	`+ "\nis NOT allowed in provider: " + providerClassName);`
`847`	`848`	`}`
`848`		`- return false;`
	`849`	`+ continue;`
`849`	`850`	`}`
`850`	`851`	`if (debug != null) {`
`851`	`852`	`debug.println("Attributes match!");`
`@@ -903,7 +904,7 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {`
`903`	`904`	`}`
`904`	`905`
`905`	`906`	`// If nothing matching the accepted uses is found in the call stack,`
`906`		`- // this service is not allowed.`
	`907`	`+ // then this constraint doesn't match so move on.`
`907`	`908`	`if (!found) {`
`908`	`909`	`if (debug != null) {`
`909`	`910`	`debug.println("Classes in call stack are not part of accepted uses!");`
`@@ -914,7 +915,7 @@ boolean isRestrictedServiceAllowed(Service service, boolean checkUse) {`
`914`	`915`	`+ "\n\tAccepted uses: " + cAcceptedUses`
`915`	`916`	`+ "\nis NOT allowed in provider: " + providerClassName);`
`916`	`917`	`}`
`917`		`- return false;`
	`918`	`+ continue;`
`918`	`919`	`}`
`919`	`920`	`}`
`920`	`921`