Review Request: JDK-8173024 Replace direct use of AuthResources resource bundle from jdk.security.auth
Mandy Chung
mandy.chung at oracle.com
Sun Jan 22 04:02:59 UTC 2017
> On Jan 21, 2017, at 6:37 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
>
>
>
> On 01/22/2017 09:18 AM, Mandy Chung wrote:
>> AFAIK, no permission check from RB::getBundle loading this resource bundle. The implementation should wrap all security sensitive calls with doPriv. I also mentioned that in [1]
>
> I see.
>
> It just feels strange to see getString() and getAuthResourcesString() implemented so differently in this webrev. Since you think they should be the same, how about creating a private method that includes the VM.initLevel and bundles.computeIfAbsent calls? We'll let Adam to decide if getString() can also call it.
>
I agree it looks strange but I hope Adam can leverage that. It’s better to leave it for the fix for JDK-8168075.
Do you approve this fix?
Mandy
More information about the security-dev
mailing list