Is RuntimePermission.accessClassInPackage now redundant?
Alan Bateman
Alan.Bateman at oracle.com
Tue Feb 16 07:59:40 UTC 2021
On 15/02/2021 19:45, Mike Hearn wrote:
> Hello,
>
> I was reviewing the default security policy and noticed quite a few modules
> are given accessClassInPackage permissions to e.g. packages in the sun.*
> hierarchy. Are the SecurityManager/ClassLoader based package control still
> needed now the module system has a built-in equivalent? I wasn't fully sure
> if this is some sort of tech debt waiting to be cleaned up, or if these
> permissions still have a role to play in the post-Jigsaw world?
This is a good observation. There was a lengthy discussion about this
here in 2017. The summary is that we want the package access check to go
away. It will mean a few subtle behavioral changes. In particular,
IllegalAccessError may be thrown for cases where SecurityException is
thrown today (assume running with a SM). It may also change the point
where an exception is thrown due to verification triggering class
loading and a package access check.
-Alan
More information about the jigsaw-dev
mailing list