Review Request: JDK-8182137: Missing permissions in deprivileged java.xml.bind and modules

Sean Mullan sean.mullan at
Wed Jun 14 15:28:39 UTC 2017

Looks fine to me. The bug needs a noreg label. I agree with Alan that 
the empty jdk.incubator.httpclient entry should be removed.

Also, please open a followon issue to fix the permissions (targeting it 
to 10 would seem appropriate to me).


On 6/14/17 11:11 AM, Mandy Chung wrote:
> java.xml.bind and modules are deprivileged and granted with specific permissions since jdk-9+51.  JAXB and JAX-WS tests were ran and found no regressions when security manager is enabled.  It is recently uncovered that FilePermission is missing from JAXB and RuntimePermission("createClassLoader") is missing from JAX-WS.  We have uncovered that the test policy file used by JAXB and JAX-WS tests grant permissions to the default code source that masks this problem.
> At this late stage in JDK 9, we propose to grant java.xml.bind and java.xml.bind with AllPermissions which is same as JDK 8.  These modules are still deprivileged and defined to the platform class loader.
> Mandy

More information about the core-libs-dev mailing list