Review request 8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader
lance.andersen at oracle.com
Mon Jan 26 19:48:55 UTC 2015
The changes look good Mandy. Hopefully we won't have too many issues with tweaking permissions…
On Jan 26, 2015, at 2:23 PM, Mandy Chung <mandy.chung at oracle.com> wrote:
> This patch proposes to move java.xml.ws, java.xml.bind, java.activation out of the boot loader and be loaded by the extension class loader. We grant java.xml.ws and java.xml.bind the minimum set of permissions. java.activation hasAllPermission for now and that can be revised in the future when JAF team identifies the permission set required java.activation.
> Miroslav - can you confirm if the JAX-WS and JAXB standalone tests pass with this patch?
> Existing code that assumes the defining class loader of JAX-WS, JAXB, JAF classes may be impacted by this change (e.g. the class loader delegation to the bootstrap class loader skipping the extension class loader). They are standalone technologies that used to be loaded by non-null class loader before they were included in Java SE. It should be rare of such dependency. Callbacks may assume java.xml.ws and java.xml.bind classes to have AllPermissions so that when running with security manager, if the permission required for callback is not part of the permission set granted to java.xml.ws and java.xml.bind, SecurityException will be thrown. We need customer testings to identify this callback permission case and revisit if they should be granted with AllPermission for JDK 9.
Lance Andersen| Principal Member of Technical Staff | +1.781.442.2037
Oracle Java Engineering
1 Network Drive
Burlington, MA 01803
Lance.Andersen at oracle.com
More information about the core-libs-dev