RFR: JDK-8075706 : Policy implementation does not allow policy.provider to be on the class path

Sean Mullan sean.mullan at oracle.com
Mon May 4 20:14:33 UTC 2015

On 05/04/2015 10:55 AM, Alan Bateman wrote:
> On 01/05/2015 13:48, Sean Mullan wrote:
>> Please review this change to use the system class loader to locate a
>> policy provider specified with the policy.provider security property.
>> The current implementation tries to load the provider using the
>> extension class loader. This will no longer work when the extension
>> mechanism is removed, which is proposed as part of JEP 220:
>> http://openjdk.java.net/jeps/220
>> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8075706/webrev.01/
> The change looks okay but I wonder if there is an opportunity to do some
> clean-up.

Yes, definitely, but OTOH it's been mostly working fine for years, and 
it's a fragile area, so we need to proceed with care :)

> One thing that is a bit icky is the catching of Exception for the case
> that the policy class is loaded by boot loader but it can't be
> instantiated for some reason. It might be  better to replace this with
> Class.forName(policy_class, false, null) and only fallback to trying
> again with the SCL if CNFE is thrown. That way you could have once place
> to instantiate the policy class and log the exception if it fails.

That seems like a good idea. I'll change it, and if I get a good JPRT 
run, I'll proceed with that change.


More information about the security-dev mailing list