Questions on deprivileging a module

[Alan Bateman]

On 04/07/2016 07:03, Wang Weijun wrote:

> I am working on
>
>     JDK-8159528 Deprivilege java.security.jgss, jdk.security.jgss and jdk.security.auth
>     https://bugs.openjdk.java.net/browse/JDK-8159528
>
> Several questions:
>
> 1. How does updating <top>/make/common/Modules.gmk affect an exploded build?
The mappings are used for both exploded and images build so the 
configuration in this make file is for both.

>
> 2. I am using Unsafe in two places, once to rewrite a final filed in clone() [1], and another to call unsafe.ensureClassInitialized(KeyTab.class) so that I can call a non-public method there [2], but it seems a platform module cannot use Unsafe. Is there new ways to do these? What I can do now is 1) make it non-final 2) call a method in KeyTab to get it initialized.
Can you say any more on this? When you say "a platform module cannot use 
Unsafe" then do you mean a compilation error? Are you attempting to use 
sun.misc.Unsafe without a dependency on jdk.unsupported?

>
> 3. I thought I can add something like
>
> grant codeBase "file://${java.home}/modules/java.security.jgss" {
>          permission java.security.AllPermission;
> };
>
> into java.policy so I can test with an exploded build. However, I see exceptions on ("java.lang.RuntimePermission" "accessClassInPackage.sun.security.util") not granted. The exception is not thrown when I am testing with an image build. Is there any way I can avoid it?
>
Can you provide the stack trace or better, the output when running with 
-Djava.security.debug=failure,access.

-Alan