Review Request: JDK-8173024 Replace direct use of AuthResources resource bundle from jdk.security.auth
Mandy Chung
mandy.chung at oracle.com
Sun Jan 22 01:18:10 UTC 2017
AFAIK, no permission check from RB::getBundle loading this resource bundle. The implementation should wrap all security sensitive calls with doPriv. I also mentioned that in [1]
I have a simple test that calls new X500Principal(null) and it runs fine with security manager.
Mandy
[1] http://mail.openjdk.java.net/pipermail/security-dev/2017-January/015436.html
> On Jan 21, 2017, at 5:02 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
>
> Why isn't the new getAuthResourceString() using AccessController.doPrivileged anymore?
>
> Thanks
> Max
>
> On 01/22/2017 05:55 AM, Mandy Chung wrote:
>> Since AuthResources is the only altBundle, Max suggests to replace getString(String, String) with a method for AuthResources bundle specifically. It’s an alternative I considered too. Here is the revised webrev:
>>
>> http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8173024/webrev.01/
>>
>> Mandy
>>
>>> On Jan 18, 2017, at 8:10 PM, Mandy Chung <mandy.chung at oracle.com> wrote:
>>>
>>> Webrev at:
>>> http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8173024/webrev.00/
>>>
>>> sun.security.util.ResourcesMgr::getString(String s, String altBundleName) is one existing mechanism to get the localized string from AuthResources and have sun.security.util.AuthResources resource bundle encapsulated in java.base.
>>>
>>> jdk.security.auth loads “sun.security.util.AuthResources” resource bundle in some place and uses ResourcesMgr::getString as well.
>>>
>>> This patch replaces direct loading of AuthResources resource bundle from jdk.security.auth so that jdk.security.auth does not need to access the resource bundle directly.
>>>
>>> I ran all core tests.
>>>
>>> Mandy
>>
More information about the security-dev
mailing list