RFR: 8295803: Console should be usable in jshell and other environments [v7]
Naoto Sato
naoto at openjdk.org
Tue Dec 6 18:13:22 UTC 2022
On Tue, 6 Dec 2022 07:34:45 GMT, Alan Bateman <alanb at openjdk.org> wrote:
>> src/java.base/share/classes/java/io/Console.java line 616:
>>
>>> 614: JdkConsoleProvider.DEFAULT_PROVIDER_MODULE_NAME);
>>> 615: return ServiceLoader.load(JdkConsoleProvider.class).stream()
>>> 616: .map(ServiceLoader.Provider::get)
>>
>> Furthermore, I think in its current form it means that this will load/instantiate any `JdkConsoleProvider` implementations that are accessible to the thread context classloader but may not have been from the module configured through `jdk.console` system property. That could potentially mean, in the best case, unnecessary classloading of additional classes and in the worst case, could result in `ServiceLoader.Provider::get` throwing a `ServiceConfigurationError` error for any of such unused provider implementations, thus forcing us to use `java.io.Console` instance.
>
>> Furthermore, I think in its current form it means that this will load/instantiate any `JdkConsoleProvider` implementations that are accessible to the thread context classloader but may not have been from the module configured through `jdk.console` system property. That could potentially mean, in the best case, unnecessary classloading of additional classes and in the worst case, could result in `ServiceLoader.Provider::get` throwing a `ServiceConfigurationError` error for any of such unused provider implementations, thus forcing us to use `java.io.Console` instance.
>
> You are right that the ServiceLoader.load should specify the system class loader or the boot layer. However, there isn't an accessibility issue as a class loader just load classes so it's more about visibility and whether the TCCL will ultimately delegate to the application class loader.
`module-info.java` in the java.base only allows `jdk.internal.le` and `jdk.jshell` modules to access the `jdk.internal.io.JdkConsoleProvider` interface. So unless the user intentionally exports it, no other implementations are effectively instantiated.
-------------
PR: https://git.openjdk.org/jdk/pull/11421
More information about the security-dev
mailing list