Review Request: JDK-8173024 Replace direct use of AuthResources resource bundle from jdk.security.auth
Weijun Wang
weijun.wang at oracle.com
Sun Jan 22 04:18:14 UTC 2017
On 01/22/2017 12:02 PM, Mandy Chung wrote:
>
>> On Jan 21, 2017, at 6:37 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
>>
>>
>>
>> On 01/22/2017 09:18 AM, Mandy Chung wrote:
>>> AFAIK, no permission check from RB::getBundle loading this resource bundle. The implementation should wrap all security sensitive calls with doPriv. I also mentioned that in [1]
>>
>> I see.
>>
>> It just feels strange to see getString() and getAuthResourcesString() implemented so differently in this webrev. Since you think they should be the same, how about creating a private method that includes the VM.initLevel and bundles.computeIfAbsent calls? We'll let Adam to decide if getString() can also call it.
>>
>
> I agree it looks strange but I hope Adam can leverage that. It’s better to leave it for the fix for JDK-8168075.
>
> Do you approve this fix?
Yes.
--Max
>
> Mandy
>
>
More information about the security-dev
mailing list