RFR [9] 7067728: Remove stopThread default java.policy
Chris Hegarty
chris.hegarty at oracle.com
Thu Jan 14 10:05:16 UTC 2016
The "stopThread” RuntimePermission is granted by default. The Thread.stop
methods have been deprecated for more than 15 years. It seems reasonable,
in a major release, to remove the default grant of stopThread.
diff --git a/src/java.base/share/conf/security/java.policy b/src/java.base/share/conf/security/java.policy
--- a/src/java.base/share/conf/security/java.policy
+++ b/src/java.base/share/conf/security/java.policy
@@ -94,17 +94,6 @@
// default permissions granted to all domains
grant {
- // Allows any thread to stop itself using the java.lang.Thread.stop()
- // method that takes no argument.
- // Note that this permission is granted by default only to remain
- // backwards compatible.
- // It is strongly recommended that you either remove this permission
- // from this policy file or further restrict it to code sources
- // that you specify, because Thread.stop() is potentially unsafe.
- // See the API specification of java.lang.Thread.stop() for more
- // information.
- permission java.lang.RuntimePermission "stopThread";
-
As a result of this change, untrusted code calling Thread.stop will throw a
SecurityException, as it will not have the required permission. The solution,
from the deployers perspective, is to add "stopThread” RuntimePermission
to the policy file.
-Chris.
More information about the security-dev
mailing list