RFR: JDK-6826789: SecureClassLoader should not use CodeSource URLs as HashMap keys

Weijun Wang weijun.wang at oracle.com
Thu Jun 11 15:33:48 UTC 2015

Hi Sean

I remember you mentioned that although no name lookup is performed here 
the permissions will be calculated correctly, even if they are granted 
to different host strings which are actually equivalent (your new test 
proves this). The URL strings still must be resolved somewhere else to 
make this happen. Can you add a comment on where?


On 06/11/2015 09:54 PM, Sean Mullan wrote:
> This is the fifth in a series of fixes for JEP 232 (Improve
> Secure Application Performance) [1].
> webrev:
> http://cr.openjdk.java.net/~mullan/webrevs/6826789/webrev.00/
> bug: https://bugs.openjdk.java.net/browse/JDK-6826789
> This fix changes the keys used in the ProtectionDomain cache in
> SecureClassLoader from URLs to Strings. The URL.hashCode method can
> trigger a potentially expensive name service lookup. The String form of
> the URL avoids that lookup, resulting in a big performance improvement.
> Thanks,
> Sean
> [1] http://openjdk.java.net/jeps/232

More information about the security-dev mailing list