Review request 8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader
Alan Bateman
Alan.Bateman at oracle.com
Mon Jan 26 20:55:28 UTC 2015
On 26/01/2015 19:23, Mandy Chung wrote:
> http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8057645/webrev.00/
>
> This patch proposes to move java.xml.ws, java.xml.bind,
> java.activation out of the boot loader and be loaded by the extension
> class loader. We grant java.xml.ws and java.xml.bind the minimum set
> of permissions. java.activation hasAllPermission for now and that can
> be revised in the future when JAF team identifies the permission set
> required java.activation.
>
> Miroslav - can you confirm if the JAX-WS and JAXB standalone tests
> pass with this patch?
>
> Existing code that assumes the defining class loader of JAX-WS, JAXB,
> JAF classes may be impacted by this change (e.g. the class loader
> delegation to the bootstrap class loader skipping the extension class
> loader). They are standalone technologies that used to be loaded by
> non-null class loader before they were included in Java SE. It should
> be rare of such dependency. Callbacks may assume java.xml.ws and
> java.xml.bind classes to have AllPermissions so that when running with
> security manager, if the permission required for callback is not part
> of the permission set granted to java.xml.ws and java.xml.bind,
> SecurityException will be thrown. We need customer testings to
> identify this callback permission case and revisit if they should be
> granted with AllPermission for JDK 9.
The changes looks good and will be interested to see if anyone is
running JAX-WS and JAXB with a security manager willing to try out JDK 9
builds.
-Alan.
More information about the core-libs-dev
mailing list