<Swing Dev> [9] Review Request: 8149879 Examine UIDefaults::addResourceBundle(String bundleName) with resource encapsulation

[Semyon Sadetsky]

On 20.12.2016 19:41, Mandy Chung wrote:
>
>> On Dec 20, 2016, at 8:24 AM, Sergey Bylokhov 
>> <sergey.bylokhov at oracle.com <mailto:sergey.bylokhov at oracle.com>> wrote:
>>
>>>>> If this private data can be loaded to the UIDefaults or to other 
>>>>> class then it will be read anyway. Are the Swing/AWT properties 
>>>>> files content really secret?
>>>> My point is that there are no secrets, but the bug description 
>>>> states that such bundles can be added some day later.
>>> But what secret can be here?
>>
>> I think Mandy can clarify that.
>
> The API should only allow user code to request adding a resource 
> bundle that is accessible to the user.   A private resource bundle in 
> java.desktop that may contain security sensitive information  is not 
> intended to be registered in UIDefaults and of course it should be 
> encapsulated.  You may think that today there is no security sensitive 
> information but we can’t guarantee until an audit to all resource 
> bundles is done and also continuously for every change is made.
Okay, Mandy. It may make sens, but those sensitive files, if they 
appear, will be able to be extracted from the module jmod file.

I still think that the rule to search for resources should be explicitly 
clarified in the method spec. Do you think it's not necessary?
Also I have a question to the fix author:
What will be the result of the method call from another named module 
with aim to load resource bundle located in this named module?

--Semyon
>
> Mandy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/swing-dev/attachments/20161222/2359b4b0/attachment.html>