RFR: JDK-8131486 : SecureClassLoader key for ProtectionDomain cache also needs to take into account certificates

Weijun Wang weijun.wang at oracle.com
Sat Jul 18 00:00:46 UTC 2015

The change looks fine.

That said, is CodeSource's hashCode/equals used somewhere else? I mean, 
can we directly update them?


On 07/18/2015 05:32 AM, Sean Mullan wrote:
> One of the changesets for JEP 232 (Improve Secure Application
> Performance) introduced a regression in the ProtectionDomain cache used
> by SecureClassLoader. The HashMap key needs to also check the
> Certificates of the CodeSource (as well as the location); otherwise 2
> CodeSources from the same location but with different signers can
> resolve to the same ProtectionDomain.
> The existing regression test has also been updated to test this case.
> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8131486/webrev.00/
> bug: https://bugs.openjdk.java.net/browse/JDK-8131486
> Thanks,
> Sean

More information about the security-dev mailing list