RFR: 8229773: Resolve permissions for code source URLs lazily

Alan Bateman Alan.Bateman at oracle.com
Sat Sep 14 07:22:17 UTC 2019

On 13/09/2019 23:07, Peter Firmstone wrote:
> :
> One change I noticed is permissions granted to the java extension 
> directory are now granted to every domain in our policy provider as 
> the java.ext.dirs property is now blank, I also had to grant 
> permissions to a number of jdk modules, after fixing these, everthing 
> running as expected, except for a few minor test failures.
The extension mechanism was deprecated in one of the maintenance 
releases of the JSR for Java SE 8 so hopefully not a surprise that the 
system property java.ext.dirs is no longer set. Since JDK 9, the VM will 
will not start if this system property is set on the command line and 
there is also a XX option in JDK 8 to help find usages of this 
mechanism. So I think I'm surprised that permissions are being granted 
when the property isn't set.

Also surprised to hear that you need to grant permissions to the java.* 
or jdk.* modules. Are you saying that that the permissions granted in 
the default JDK policy file are incomplete or that there are code is 
missing a call to doPrivileged somewhere? Part of the reason for asking 
is that the both "-Djava.security.policy=" and 
"-Djava.security.policy==" will augment rather than override the default 
permissions. Maybe you are doing something that doesn't use this 
mechanism and you are always overriding the permissions granted to the 
modules in the run-time image?


More information about the security-dev mailing list