Review Request: JDK-8173024 Replace direct use of AuthResources resource bundle from jdk.security.auth

Mandy Chung mandy.chung at oracle.com
Sun Jan 22 04:02:59 UTC 2017


> On Jan 21, 2017, at 6:37 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
> 
> 
> 
> On 01/22/2017 09:18 AM, Mandy Chung wrote:
>> AFAIK, no permission check from RB::getBundle loading this resource bundle.  The implementation should wrap all security sensitive calls with doPriv.  I also mentioned that in [1]
> 
> I see.
> 
> It just feels strange to see getString() and getAuthResourcesString() implemented so differently in this webrev. Since you think they should be the same, how about creating a private method that includes the VM.initLevel and bundles.computeIfAbsent calls? We'll let Adam to decide if getString() can also call it.
> 

I agree it looks strange but I hope Adam can leverage that.  It’s better to leave it for the fix for JDK-8168075.

Do you approve this fix?

Mandy




More information about the security-dev mailing list