SecurityManager environments

Alan Bateman Alan.Bateman at
Mon Apr 10 06:07:36 UTC 2017

On 09/04/2017 23:15, Robert Muir wrote:

> I dont agree with the use of the word ephemeral here, thats 
> misleading. Those permissions are *not* needed for outgoing connections.
> The default security policy of java absolutely allows for backdoors in 
> server applications. It does not matter if port number is 80 or 8000 
> the effect is the same.
I think I said "bind" rather than "outgoing connection". If I'm granted 
`SocketPermission "localhost:0", "listen"` then I would expect 
`bind(null)` or `bind(new InetSocketAddress(0))` should succeed but I 
wouldn't expect to be able to bind to a specific port.

In any case, the default permissions seem like a fine topic to bring to 
security-dev. AFAIK the only change to the defaults for JDK 9 is that 
`RuntimePermission "stopThread"` is dropped.


More information about the jigsaw-dev mailing list