[External] : Re: JEP411: Missing use-case: Monitoring / restricting libraries

Alan Bateman Alan.Bateman at oracle.com
Tue May 18 06:10:13 UTC 2021

On 18/05/2021 03:39, Peter Firmstone wrote:
> :
> Yes, I realize that, it is my understanding that because this is a 
> security concern, it is not something the community is allowed to 
> provide support for at OpenJDK, hence my suggestion to Alan, to make 
> it possible for this to happen by changing the security level and 
> calling it an access control layer concern.
Sorry, I was too busy and didn't have time to reply to your previous 
mail on this and the performance anomaly in Java 14.

I'm dubious about your suggestion. Every issue or report that Java has a 
security bug has to be analyzed on the assumption that it may be a 
vulnerability. Saying that SM bypass or a ninja move that disables the 
SM is not a security concern would create a perception issue. It would 
get lost in the discussion that the SM is rarely used in the way that it 
was envisaged 20+ years ago. The other thing is that it wouldn't remove 
the ongoing burden to insert/audit permission checks, check that ACC are 
captured and used in the right places, and of course testing as it's 
another execution mode.


More information about the security-dev mailing list