On 20.12.2016 19:41, Mandy Chung wrote:
On Dec 20, 2016, at 8:24 AM, Sergey Bylokhov
<sergey.bylok...@oracle.com <mailto:sergey.bylok...@oracle.com>> wrote:
If this private data can be loaded to the UIDefaults or to other
class then it will be read anyway. Are the Swing/AWT properties
files content really secret?
My point is that there are no secrets, but the bug description
states that such bundles can be added some day later.
But what secret can be here?
I think Mandy can clarify that.
The API should only allow user code to request adding a resource
bundle that is accessible to the user. A private resource bundle in
java.desktop that may contain security sensitive information is not
intended to be registered in UIDefaults and of course it should be
encapsulated. You may think that today there is no security sensitive
information but we can’t guarantee until an audit to all resource
bundles is done and also continuously for every change is made.
Okay, Mandy. It may make sens, but those sensitive files, if they
appear, will be able to be extracted from the module jmod file.
I still think that the rule to search for resources should be explicitly
clarified in the method spec. Do you think it's not necessary?
Also I have a question to the fix author:
What will be the result of the method call from another named module
with aim to load resource bundle located in this named module?
--Semyon
Mandy
