RFR: 8159752: Grant de-privileged module permissions by default with java.security.policy override option
Sean Mullan
sean.mullan at oracle.com
Thu Jul 14 20:43:57 UTC 2016
On 07/14/2016 04:38 PM, Chris Hegarty wrote:
>> The default.policy file is now always loaded by the default Policy
>> provider implementation (sun/security/provider/PolicyFile). It is
>> loaded if the java.security.policy '=' or '==' option is specified,
>> and also if the application uses the Policy.getInstance methods and
>> specifies the "JavaPolicy" type. If the default.policy file cannot be
>> loaded, an InternalError is thrown, on the basis that the runtime
>> cannot operate correctly unless these permissions are granted.
>
> I think this is ok, but of course it is unnecessary for a minimal image
> with just java.base. Probably not worth complicating things, but you
> could conditionally add include the permissions per module based on its
> presence.
Yes, excellent point and there is already an RFE open for this:
https://bugs.openjdk.java.net/browse/JDK-8080294
This should establish the groundwork for making that happen more easily
but was not considered as critical as this piece to have in place right now.
--Sean
More information about the security-dev
mailing list