Review Request: JDK-8173024 Replace direct use of AuthResources resource bundle from jdk.security.auth

Mandy Chung mandy.chung at oracle.com
Mon Jan 23 16:16:48 UTC 2017


> On Jan 23, 2017, at 6:59 AM, Adam Petcher <adam.petcher at oracle.com> wrote:
> 
> Comments below.
> 
> On 1/21/2017 11:02 PM, Mandy Chung wrote:
>>> On Jan 21, 2017, at 6:37 PM, Weijun Wang <weijun.wang at oracle.com> <mailto:weijun.wang at oracle.com> wrote:
>>> 
>>> 
>>> 
>>> On 01/22/2017 09:18 AM, Mandy Chung wrote:
>>>> AFAIK, no permission check from RB::getBundle loading this resource bundle.  The implementation should wrap all security sensitive calls with doPriv.  I also mentioned that in [1]
>>> I see.
>>> 
>>> It just feels strange to see getString() and getAuthResourcesString() implemented so differently in this webrev. Since you think they should be the same, how about creating a private method that includes the VM.initLevel and bundles.computeIfAbsent calls? We'll let Adam to decide if getString() can also call it.
>>> 
>> I agree it looks strange but I hope Adam can leverage that.  It’s better to leave it for the fix for JDK-8168075.
> 
> Thanks. I've updated JDK-8172808 <https://bugs.openjdk.java.net/browse/JDK-8172808> to indicate that there is some potential for refactoring here. 
> 
> Though it seems like there is an issue with ResourceMgr::getString in your latest diff. The bundle is loaded, but it is not stored in the map (unless I'm missing it). So the resource bundle would be loaded for every call to this method.

Good catch.  I missed that.  The good things is that ResourceBundle is cached after it’s loaded via getBundle method and there should be no loss of performance.  I’ll fix it and should probably take JDK-8172808.

Mandy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20170123/60969b3f/attachment.html>


More information about the security-dev mailing list