Should we make SslOptions be more explicit about where it loads certifications? #3766
Description
I'm not sure I like the default fallback behavior here:
Instead I recommend something more like:
static InputStream getResource(
String path)
throws FileNotFoundException, IOException {
URI uri = URI.create(path);
/*
* Explicit
*/
if ("classpath".equals(uri.getScheme())) {
var classpath = uri.getPath();
if (classpath == null) {
throw new FileNotFoundException(path);
}
return getClasspathResource(classpath);
}
if ("file".equals(uri.getScheme())) {
return Files.newInputStream(Path.of(uri));
}
/*
* Implicit
*/
Path filepath = Paths.get(path);
if (Files.exists(filepath)) {
// absolute file:
return Files.newInputStream(filepath);
}
// Maybe do not do this
return getClasspathResource(path);
}This is where classpath:/// and file:/// can be explicitly used and then if that is not used we do the original behavior with the eventual goal of not doing the classpath unless it has the classpath uri schema.
The reason is assume I package a certification in the classpath. It works normally. Then someone adds a classpath on the filesystem when I go deploy. It now overrides the classpath one.
Now I admit this is unlikely and if this was not certs I could care less but I think we should not go around sniffing for certs. It also seems more inline with how we no longer use the service loader. That is less implicit behavior.
Otherwise I mostly don't care but just think this is the right thing to do.