Review request: 8040059 Change default policy for extensions to no permission
Bernd Eckenfels
bernd-2014 at eckenfels.net
Tue Apr 22 21:54:08 UTC 2014
Hello,
I do like to restrict the permissions granted, especially for client
deployments.
in a related note: why is JavaFX shipped by default as an extension? Or
better asked, how is the admin in the future supposed to maintain a
minimum JRE? Randomly deleting extension jars? Would it be better to
ship the JAR only in a dir where they CAN be added to the classpath,
but are not by default (similiar to javadb/derby).
Gruss
Bernd
Am Tue, 22 Apr 2014 12:39:57 -0700
schrieb Mandy Chung <mandy.chung at oracle.com>:
> This change proposes to remove granting all permissions for
> extensions as the default and implements the principle of least
> privilege.In JDK 9, we want to reduce the privileges of as many
> system classes as possible.
>
> http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8040059/webrev.00/
>
> This patch has reduced the zipfs, localedata and cldrdata to grant
> the permissions they require. It grants AllPermission to other jar
> files in the lib/ext directory shipped with JDK and this change is
> intended to enable the component teams to identify the minimum
> permissions and fix any issue, if any.
>
> Libraries installed in the extensions directory depending on
> AllPermission granted by default are impacted. Making this change
> as early in JDK 9 allows us to identify any customer impacted by this
> change.
>
> Mandy
>
More information about the security-dev
mailing list