RFR: 8229773: Resolve permissions for code source URLs lazily

[Alan Bateman]

On 14/09/2019 21:21, Peter Firmstone wrote:
> Hi Alan,
>
> We've got a bunch of very old policy files in our test suite, so they 
> still had policy grants using the extension directory property.  The 
> grant for the extension directory property was followed by a forward 
> slash and asterix.  Oddly when the property was missing the grant 
> became a wildcard URL.  Note this isn't the sun PolicyFile 
> implementation, but our policy provider also augments, rather than 
> replace, maybe there's a new policy file our provider isn't aware of?
>
> From memory there was something special about the way the extension 
> directory property was treated by the policy provider, but I don't 
> recall the details, the same problems don't appear to exist when other 
> properties in policy files cannot be resolved.
>
>
> Modules that required permissions, seem to be service providers:
In jdk/jdk repo, the following policy files are merged in the build to 
create the default policy:

src/java.base/windows/lib/security/default.policy
src/java.base/solaris/lib/security/default.policy
src/java.base/share/lib/security/default.policy

The default policy goes into a JDK internal location in the run-time 
image and used by the PolicyFile implementation. If you look in there 
you should see the permissions that are granted to the modules that map 
to the platform class loader. The intention is that deployments that are 
setting their own policy files don't need to be concerned about the 
permissions of modules in the run-time image. I suspect you are looking 
for a custom PolicyFile implementation to make use of these defaults to 
avoid needing to be concerned with the specific permissions that the 
modules in the run-time image.

-Alan