Querstion about ForkJoinPool / SecurityManager interoperability

Patrick Reinhart patrick at reini.net
Thu Dec 13 12:36:47 UTC 2018


Hi everybody,

I'm not sure if this mailing list the correct one, if not please give me 
a note where to place that question.

When trying to use the Weld SE with together with a SecurityManager and 
I got a exception thrown out of the ForkJoinWorkerThread:

java.lang.SecurityException: setContextClassLoader
	at 
java.base/java.util.concurrent.ForkJoinWorkerThread$InnocuousForkJoinWorkerThread.setContextClassLoader(ForkJoinWorkerThread.java:239)


I did some digging in the ForkJoinPool and there it states the possible 
reason:

"If no thread factory is supplied via a system property, then the common 
pool uses a factory that uses the system class loader as the thread 
context class loader. In addition, if a SecurityManager is present, then 
the common pool uses a factory supplying threads that have no 
Permissions enabled. Upon any error in establishing these settings, 
default parameters are used. It is possible to disable or limit the use 
of threads in the common pool by setting the parallelism property to 
zero, and/or using a factory that may return null. However doing so may 
cause unjoined tasks to never be executed."


Now the special case of using those special threads with no permission 
are only created when the ForkJoinPool is initialized with a security 
manager installed at this point of time. If the security manager will be 
installed later, it has not impact what so ever (this is my actual 
work-around the problem for now)

Even if the security manager is enabled before the initialize of the 
ForkJoinPool not all work is delegated to InnocuousForkJoinWorkerThread 
instances (sometimes it picks the main thread instead, that has not the 
restrictions, what I think should not be the case and is a potential 
security leak too)

Why is this done this way and the change of the context class loader or 
uncaught exception handler not checked by the actual security manager 
instead?


Can anybody enlighten me on this so I can file the correct bug at the 
correct place :-)

-Patrick


More information about the core-libs-dev mailing list