Details
-
Bug
-
Resolution: Fixed
-
P2
-
7
-
b08
-
generic
-
generic
-
Verified
Description
Per security checklist, we need to update the sample/demo code documentation to indicate that the code was designed to assist developers in understanding Java functionality, that it has been deliberately simplified and does not take security considerations into account. It should not be used as a template for production code without appropriate due diligence.
<deleted duplicate note>
The documentation should include the following disclaimer:
The source code provided with samples and demos for the JDK is meant to illustrate the usage of a given feature or technique and has been deliberately simplified. Additional steps required for a production-quality application, such as security checks, input validation, and proper error handling, might not be present in the sample code.
Usage of sample code in production environments is strongly discouraged.
On the actual source code a variation of the message should be included as a comment in the header:
This source code is provided to illustrate the usage of a given feature or technique and has been deliberately simplified. Additional steps required for a production-quality application, such as security checks, input validation, and proper error handling, might not be present in this sample code.
Finally on the documentation of applications, such as the lightweight HTTP server, that are shipped for testing/debugging, the following disclaimer should be added:
Applications such as the lightweight HTTP server are shipped with the JDK to help developers deploy and test their code easily. They have not been developed in accordance to software development standards for production-quality applications. Usage of such test and/or support applications in production environments is strongly discouraged.
*** (#1 of 1): 2011-08-16 20:28:59 CEST ###@###.###
*** (#1 of 1): 2011-08-23 12:42:25 CEST ###@###.###
<deleted duplicate note>
The documentation should include the following disclaimer:
The source code provided with samples and demos for the JDK is meant to illustrate the usage of a given feature or technique and has been deliberately simplified. Additional steps required for a production-quality application, such as security checks, input validation, and proper error handling, might not be present in the sample code.
Usage of sample code in production environments is strongly discouraged.
On the actual source code a variation of the message should be included as a comment in the header:
This source code is provided to illustrate the usage of a given feature or technique and has been deliberately simplified. Additional steps required for a production-quality application, such as security checks, input validation, and proper error handling, might not be present in this sample code.
Finally on the documentation of applications, such as the lightweight HTTP server, that are shipped for testing/debugging, the following disclaimer should be added:
Applications such as the lightweight HTTP server are shipped with the JDK to help developers deploy and test their code easily. They have not been developed in accordance to software development standards for production-quality applications. Usage of such test and/or support applications in production environments is strongly discouraged.
*** (#1 of 1): 2011-08-16 20:28:59 CEST ###@###.###
*** (#1 of 1): 2011-08-23 12:42:25 CEST ###@###.###
Attachments
Issue Links
- relates to
-
-
- Closed
-