Review request 8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader
Miroslav Kos
miroslav.kos at oracle.com
Fri Feb 6 08:42:38 UTC 2015
On 26/01/15 21:55, Alan Bateman wrote:
> On 26/01/2015 19:23, Mandy Chung wrote:
>> http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8057645/webrev.00/
>>
>> This patch proposes to move java.xml.ws, java.xml.bind,
>> java.activation out of the boot loader and be loaded by the extension
>> class loader. We grant java.xml.ws and java.xml.bind the minimum set
>> of permissions. java.activation hasAllPermission for now and that
>> can be revised in the future when JAF team identifies the permission
>> set required java.activation.
>>
>> Miroslav - can you confirm if the JAX-WS and JAXB standalone tests
>> pass with this patch?
Yes, the tests are passing with our current configuration. Looks ok to me.
Thanks
Miran
>>
>> Existing code that assumes the defining class loader of JAX-WS, JAXB,
>> JAF classes may be impacted by this change (e.g. the class loader
>> delegation to the bootstrap class loader skipping the extension class
>> loader). They are standalone technologies that used to be loaded by
>> non-null class loader before they were included in Java SE. It
>> should be rare of such dependency. Callbacks may assume java.xml.ws
>> and java.xml.bind classes to have AllPermissions so that when running
>> with security manager, if the permission required for callback is not
>> part of the permission set granted to java.xml.ws and java.xml.bind,
>> SecurityException will be thrown. We need customer testings to
>> identify this callback permission case and revisit if they should be
>> granted with AllPermission for JDK 9.
> The changes looks good and will be interested to see if anyone is
> running JAX-WS and JAXB with a security manager willing to try out JDK
> 9 builds.
>
> -Alan.
More information about the core-libs-dev
mailing list