Review request: 8040059 Change default policy for extensions to no permission
Mandy Chung
mandy.chung at oracle.com
Wed Apr 23 16:14:16 UTC 2014
On 4/23/2014 8:19 AM, Sean Mullan wrote:
> On 04/22/2014 06:36 PM, Mandy Chung wrote:
>> Thanks for bringing up this question. I missed to mention the open
>> question to follow up how we want to build the system java.policy. There
>> are platform-specific jar file and also different jar files in Oracle
>> JDK build. I currently list them all in java.policy in this initial
>> patch. One solution is to have one version of java.policy for each OS.
>> However this will suffer from the maintenance burden and also
>> error-prone as the current java.security file. I'd like to get the
>> feedback from the security team before attempting to modify the
>> makefiles.
>
> We had a similar issue with the java.security file where
> Oracle-specific packages were being added to the
> package.access/definition properties in the OpenJDK java.security
> files; thus polluting the source code with packages that were
> Oracle-specific.
>
> I fixed this in JDK 8:
> https://bugs.openjdk.java.net/browse/JDK-8007292
>
> Basically it involved keeping a list of the non-OpenJDK packages that
> were to be restricted in the closed repo, and creating a Java program
> that appended these to the properties in the java.security file when
> the build included the closed sources.
>
Thanks Sean. This patch separates the Oracle-specific content from the
OpenJDK java.security files. Is there any plan to handle
java.security-<os> differently (I recalled there is a RFE for it and a
large part of the content is duplicated)? If this is work-in-progress,
I want to make sure to use a similar mechanism for java.policy.
Mandy
More information about the security-dev
mailing list