JPMS Access Checks, Verification and the Security Manager
Alex Buckley
alex.buckley at oracle.com
Tue May 23 20:01:45 UTC 2017
On 5/23/2017 7:44 AM, Volker Simonis wrote:
> So maybe I rephrase my question a little more generally:
>
> Is it required for the verifier to do security and/or access checks
> during the verification phase or could/should these checks be
> postponed to runtime? The issue with verification errors due to
> missing classes from Remi's previous answer is probably a corner case
> of this question.
Verification must perform class loading in order to check subtyping, but
verification does not check access to the loaded classes. To be precise,
verification in JVMS 4.10.1 does not appeal to class resolution (JVMS
5.4.3.1) nor to access control (JVMS 5.4.4). Nor does verification in
JVMS 4.10.1 know what the package.access file is.
What you are seeing when the Security Manager is enabled is that class
loading fails (due to a package.access check in Hotspot) and so
verification fails. The verifier is not performing the package.access
check per se.
Alex
More information about the security-dev
mailing list