Review request: 8040059 Change default policy for extensions to no permission

Mandy Chung mandy.chung at oracle.com
Wed Apr 23 16:14:16 UTC 2014


On 4/23/2014 8:19 AM, Sean Mullan wrote:
> On 04/22/2014 06:36 PM, Mandy Chung wrote:
>> Thanks for bringing up this question.  I missed to mention the open
>> question to follow up how we want to build the system java.policy. There
>> are platform-specific jar file and also different jar files in Oracle
>> JDK build.  I currently list them all in java.policy in this initial
>> patch.  One solution is to have one version of java.policy for each OS.
>> However this will suffer from the maintenance burden and also
>> error-prone as the current java.security file.  I'd like to get the
>> feedback from the security team before attempting to modify the 
>> makefiles.
>
> We had a similar issue with the java.security file where 
> Oracle-specific packages were being added to the 
> package.access/definition properties in the OpenJDK java.security 
> files; thus polluting the source code with packages that were 
> Oracle-specific.
>
> I fixed this in JDK 8:
> https://bugs.openjdk.java.net/browse/JDK-8007292
>
> Basically it involved keeping a list of the non-OpenJDK packages that 
> were to be restricted in the closed repo, and creating a Java program 
> that appended these to the properties in the java.security file when 
> the build included the closed sources.
>

Thanks Sean.   This patch separates the Oracle-specific content from the 
OpenJDK java.security files.   Is there any plan to handle 
java.security-<os> differently (I recalled there is a RFE for it and a 
large part of the content is duplicated)?   If this is work-in-progress, 
I want to make sure to use a similar mechanism for java.policy.

Mandy



More information about the security-dev mailing list