Review Request: JDK-8173024 Replace direct use of AuthResources resource bundle from jdk.security.auth

Weijun Wang weijun.wang at oracle.com
Sun Jan 22 02:37:11 UTC 2017



On 01/22/2017 09:18 AM, Mandy Chung wrote:
> AFAIK, no permission check from RB::getBundle loading this resource bundle.  The implementation should wrap all security sensitive calls with doPriv.  I also mentioned that in [1]

I see.

It just feels strange to see getString() and getAuthResourcesString() 
implemented so differently in this webrev. Since you think they should 
be the same, how about creating a private method that includes the 
VM.initLevel and bundles.computeIfAbsent calls? We'll let Adam to decide 
if getString() can also call it.

Thanks
Max

>
> I have a simple test that calls new X500Principal(null) and it runs fine with security manager.
>
> Mandy
> [1] http://mail.openjdk.java.net/pipermail/security-dev/2017-January/015436.html
>
>> On Jan 21, 2017, at 5:02 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
>>
>> Why isn't the new getAuthResourceString() using AccessController.doPrivileged anymore?
>>
>> Thanks
>> Max
>>
>> On 01/22/2017 05:55 AM, Mandy Chung wrote:
>>> Since AuthResources is the only altBundle, Max suggests to replace getString(String, String) with a method for AuthResources bundle specifically. It’s an alternative I considered too.  Here is the revised webrev:
>>>
>>> http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8173024/webrev.01/
>>>
>>> Mandy
>>>
>>>> On Jan 18, 2017, at 8:10 PM, Mandy Chung <mandy.chung at oracle.com> wrote:
>>>>
>>>> Webrev at:
>>>>  http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8173024/webrev.00/
>>>>
>>>> sun.security.util.ResourcesMgr::getString(String s, String altBundleName) is one existing mechanism to get the localized string from AuthResources and have sun.security.util.AuthResources resource bundle encapsulated in java.base.
>>>>
>>>> jdk.security.auth loads “sun.security.util.AuthResources” resource bundle in some place and uses ResourcesMgr::getString as well.
>>>>
>>>> This patch replaces direct loading of AuthResources resource bundle from jdk.security.auth so that jdk.security.auth does not need to access the resource bundle directly.
>>>>
>>>> I ran all core tests.
>>>>
>>>> Mandy
>>>
>


More information about the security-dev mailing list