Review request for the incorrect check for "getClassLoader" permission
David Holmes
david.holmes at oracle.com
Thu Jun 21 17:08:46 PDT 2012
Hi Mandy,
On 22/06/2012 5:02 AM, Mandy Chung wrote:
> David, Paul,
>
> I have a fix for the incorrect check w.r.t. "getClassLoader" permission
> [1] and also update j.u.c.atomic for module mode.
>
> Webrev at:
> http://cr.openjdk.java.net/~mchung/jigsaw/webrevs/getclassloader-permission-fix/
I think ClassLoader.doClassLoaderPermissionCheck should be renamed
ClassLoader.needsClassLoaderPermissionCheck. When I see "do" I expect it
to actually check the permission which it doesn't.
I don't understand the Atomic changes if the parent is going away. The
whole isAncestor check becomes undefined.
I also find it odd that a java.* class relies on an org.openjdk.jigsaw
class. Will Platform eventually move into a core package like
java.lang.modules ?
> The security.sh test demonstrates what can be accessed in module mode
> and lists the open issue. This patch is intended to fix the bug
> introduced in this changeset:
> http://hg.openjdk.java.net/jigsaw/jigsaw/jdk/rev/7b282c826118
>
> Since there is no parent-child delegation relationship and the existing
> security check applies, it can only access its own class loader in
> module mode. This remains an open issue what security checks would be
> appropriate in module mode and how well it plays with existing java
> security policy file etc.
And how a mix of custom and module loaders gets handled.
David
> As for testing, I ran test/java/util/concurrent/atomic tests in hybrid
> mode and they passed (in fact I verified all java/lang and java/util
> tests). Since AtomicUpdaters is marked to run in othervm mode, I
> manually converted it as a module and it passes.
>
> Thanks
> Mandy
> [1] http://mail.openjdk.java.net/pipermail/jigsaw-dev/2012-May/002614.html
More information about the jigsaw-dev
mailing list