RFR: JDK-8210274: Source Launcher should work with a security manager

Alan Bateman Alan.Bateman at oracle.com
Tue Sep 11 07:58:18 UTC 2018

On 10/09/2018 21:37, Jonathan Gibbons wrote:
> Please review a patch to have the Source Launcher be able to work when 
> a security manager is enabled.
It's not clear to me that this is an interesting use-case but in any 
case I think you've got two scenarios to test. One is setting 
java.security.manager on the command line, the other is the launched 
code's main method calling System.setSecurityManager which amounts to 
setting a security manager in a running VM. You might want to add a test 
case for the latter.

Is there any way (spi.ToolProvider or some means) for untrusted code to 
indirectly run the source launcher? This question is important because 
the updated source launcher could be abused to probe anywhere on the 
file system.

What are the implications for uses of javax.tools and 
com.sun.tools.javac.Main in code running with a security manager? Maybe 
that is a separate project but I would have expected to see privileged 
blocks in places that need permissions.


More information about the compiler-dev mailing list