<Swing Dev> [9] Review Request: 8149879 Examine UIDefaults::addResourceBundle(String bundleName) with resource encapsulation

[Mandy Chung]

> On Jan 10, 2017, at 8:42 AM, Sergey Bylokhov <Sergey.Bylokhov at oracle.com> wrote:
> 
> Hello,
> Please review the new version:
> http://cr.openjdk.java.net/~serb/8149879/webrev.03 <http://cr.openjdk.java.net/~serb/8149879/webrev.03>
> The specification of addResourceBundle() is updated.
> 

It would be useful to add  @see ResourceBundle#getBundle(String, Locale, ClassLoader).   The copyright end year needs to be updated to 2017.   Otherwise, looks good.

No need to send a new webrev unless others have comments to require a new webrev.

Mandy

>> 
>>> 
>>> On Dec 22, 2016, at 1:33 AM, Semyon Sadetsky <semyon.sadetsky at oracle.com <mailto:semyon.sadetsky at oracle.com>> wrote:
>>> 
>>> 
>>> 
>>> 
>>> On 20.12.2016 19:41, Mandy Chung wrote:
>>>> 
>>>>> On Dec 20, 2016, at 8:24 AM, Sergey Bylokhov <sergey.bylokhov at oracle.com <mailto:sergey.bylokhov at oracle.com>> wrote:
>>>>> 
>>>>>>>> If this private data can be loaded to the UIDefaults or to other class then it will be read anyway. Are the Swing/AWT properties files content really secret?
>>>>>>> My point is that there are no secrets, but the bug description states that such bundles can be added some day later.
>>>>>> But what secret can be here?
>>>>> 
>>>>> I think Mandy can clarify that.
>>>> 
>>>> 
>>>> The API should only allow user code to request adding a resource bundle that is accessible to the user.   A private resource bundle in java.desktop that may contain security sensitive information  is not intended to be registered in UIDefaults and of course it should be encapsulated.  You may think that today there is no security sensitive information but we can’t guarantee until an audit to all resource bundles is done and also continuously for every change is made.
>>> Okay, Mandy. It may make sens, but those sensitive files, if they appear, will be able to be extracted from the module jmod file.
>>> 
>>> I still think that the rule to search for resources should be explicitly clarified in the method spec. Do you think it's not necessary?
>> 
>> See my suggested spec clarification from:
>> http://mail.openjdk.java.net/pipermail/swing-dev/2016-December/007097.html <http://mail.openjdk.java.net/pipermail/swing-dev/2016-December/007097.html>
>> 
>>> Also I have a question to the fix author:
>>> What will be the result of the method call from another named module with aim to load resource bundle located in this named module?
>> 
>> This is a RFE that I think probably should provide a new API to pass a Supplier<ResourceBundle>
>> 
>> Mandy
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/swing-dev/attachments/20170110/d0647198/attachment.html>