AFAIK, no permission check from RB::getBundle loading this resource bundle. The implementation should wrap all security sensitive calls with doPriv. I also mentioned that in [1]
I have a simple test that calls new X500Principal(null) and it runs fine with security manager. Mandy [1] http://mail.openjdk.java.net/pipermail/security-dev/2017-January/015436.html > On Jan 21, 2017, at 5:02 PM, Weijun Wang <weijun.w...@oracle.com> wrote: > > Why isn't the new getAuthResourceString() using AccessController.doPrivileged > anymore? > > Thanks > Max > > On 01/22/2017 05:55 AM, Mandy Chung wrote: >> Since AuthResources is the only altBundle, Max suggests to replace >> getString(String, String) with a method for AuthResources bundle >> specifically. It’s an alternative I considered too. Here is the revised >> webrev: >> >> http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8173024/webrev.01/ >> >> Mandy >> >>> On Jan 18, 2017, at 8:10 PM, Mandy Chung <mandy.ch...@oracle.com> wrote: >>> >>> Webrev at: >>> http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8173024/webrev.00/ >>> >>> sun.security.util.ResourcesMgr::getString(String s, String altBundleName) >>> is one existing mechanism to get the localized string from AuthResources >>> and have sun.security.util.AuthResources resource bundle encapsulated in >>> java.base. >>> >>> jdk.security.auth loads “sun.security.util.AuthResources” resource bundle >>> in some place and uses ResourcesMgr::getString as well. >>> >>> This patch replaces direct loading of AuthResources resource bundle from >>> jdk.security.auth so that jdk.security.auth does not need to access the >>> resource bundle directly. >>> >>> I ran all core tests. >>> >>> Mandy >>