RFR: JDK-8075706 : Policy implementation does not allow policy.provider to be on the class path

Alan Bateman Alan.Bateman at oracle.com
Fri May 8 15:11:27 UTC 2015

On 05/05/2015 22:37, Sean Mullan wrote:
> I was trying to avoid too many changes, but in the end I decided it 
> was better to refactor some of this code into a new method. So here is 
> the new webrev:
>     http://cr.openjdk.java.net/~mullan/webrevs/8075706/webrev.02/
> Changes include:
> - bootstrapping code moved to new method named loadPolicyProvider
> - added Alan's suggestion to fallback to SCL only if CNFE is thrown
> - instantiated default policy provider directly instead of using 
> reflection if property has not been changed or is not set
> - addressed Mandy's comment about formatting
> - enhanced test to cover more cases
I don't have cycles to look at the test but the changes to PolicyFile 
looks okay, and in line with what was there previously. As getting the 
value of the security.provider property involves a permission check then 
I assume that isSet is guaranteed to be called before this code 
executes, otherwise there would be another potential way to get 
recursive initialization.

One small inconsistency is that Class.forName when trying to locate the 
provider on the boot loader doesn't run the static initializers whereas 
it does for the attempt to locate it via the system class loader.


More information about the security-dev mailing list