On 01/22/2017 09:18 AM, Mandy Chung wrote:
AFAIK, no permission check from RB::getBundle loading this resource bundle.
The implementation should wrap all security sensitive calls with doPriv. I
also mentioned that in [1]
I see.
It just feels strange to see getString() and getAuthResourcesString()
implemented so differently in this webrev. Since you think they should
be the same, how about creating a private method that includes the
VM.initLevel and bundles.computeIfAbsent calls? We'll let Adam to decide
if getString() can also call it.
Thanks
Max
I have a simple test that calls new X500Principal(null) and it runs fine with
security manager.
Mandy
[1] http://mail.openjdk.java.net/pipermail/security-dev/2017-January/015436.html
On Jan 21, 2017, at 5:02 PM, Weijun Wang <weijun.w...@oracle.com> wrote:
Why isn't the new getAuthResourceString() using AccessController.doPrivileged
anymore?
Thanks
Max
On 01/22/2017 05:55 AM, Mandy Chung wrote:
Since AuthResources is the only altBundle, Max suggests to replace
getString(String, String) with a method for AuthResources bundle specifically.
It’s an alternative I considered too. Here is the revised webrev:
http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8173024/webrev.01/
Mandy
On Jan 18, 2017, at 8:10 PM, Mandy Chung <mandy.ch...@oracle.com> wrote:
Webrev at:
http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8173024/webrev.00/
sun.security.util.ResourcesMgr::getString(String s, String altBundleName) is
one existing mechanism to get the localized string from AuthResources and have
sun.security.util.AuthResources resource bundle encapsulated in java.base.
jdk.security.auth loads “sun.security.util.AuthResources” resource bundle in
some place and uses ResourcesMgr::getString as well.
This patch replaces direct loading of AuthResources resource bundle from
jdk.security.auth so that jdk.security.auth does not need to access the
resource bundle directly.
I ran all core tests.
Mandy
