Review Request: JDK-8182137: Missing permissions in deprivileged java.xml.bind and modules

Mandy Chung mandy.chung at
Wed Jun 14 15:30:16 UTC 2017

> On Jun 14, 2017, at 8:18 AM, Alan Bateman <Alan.Bateman at> wrote:
> On 14/06/2017 16:11, Mandy Chung wrote:
>> java.xml.bind and modules are deprivileged and granted with specific permissions since jdk-9+51.  JAXB and JAX-WS tests were ran and found no regressions when security manager is enabled.  It is recently uncovered that FilePermission is missing from JAXB and RuntimePermission("createClassLoader") is missing from JAX-WS.  We have uncovered that the test policy file used by JAXB and JAX-WS tests grant permissions to the default code source that masks this problem.
>> At this late stage in JDK 9, we propose to grant java.xml.bind and java.xml.bind with AllPermissions which is same as JDK 8.  These modules are still deprivileged and defined to the platform class loader.
> Sigh, this is sad as there was a lot of effort put in by the EE folks to get this code running with reduced permissions. Hopefully the tests can be fixed and this issue revised some day. The changes look okay for now.

I wish this was uncovered earlier.

I have suggested the team to run the tests with the fixed test policy and identify the complete set of permissions.

> In passing, can the jdk.incurbator.httpclient be dropped from the policy file as it is not granted any permissions.

This is what I was about to check why this entry was added in the first place before I drop it.  It should not be needed.  Any one wants to grant permissions to jdk.incubator.httpclient can add to java.policy.


More information about the core-libs-dev mailing list