8013415: Changes for JDK-8005523 requires updates to refs.allowed

Chris Hegarty chris.hegarty at oracle.com
Mon Apr 29 08:51:38 UTC 2013

Thanks for the explanation, it makes reviewing much easier.

I can see the additional types in the changeset for 8005523, so it looks 
good to me.

If possible, it would be nice if that anyone touching source that 
effects jsse.jar could also check the profiles target. That said, I 
wasn't aware of this dependency until now. Anyway, I think you're right 
Alan, it remains to be seen how much of a chore this becomes.


On 28/04/2013 22:04, Alan Bateman wrote:
> I need a reviewer for a small update to the "refs.allowed" file used by
> the dependency checking tool in the profiles build.
> To re-cap, the profiles build does not subset jsse.jar even though there
> is JSSE code that references Kerberos classes that do not exist in
> compact1 and compact2 builds. These references aren't a problem at
> runtime because the support for Kerberos cipher suites is predicated on
> Kerberos being present. However for static analysis tools (including
> CheckDeps) then it means there are references to Kerberos clsses that do
> not exist. To avoid the tool flagging these references and failing the
> build, the tool has refs.allowed to allow for a small set of "allowed
> references". To date we have not needed to touch this but the recent
> push of 8005523 to jdk8/tl/jdk introduces new references that are
> currently causing the profiles build to fail.
> It remains to seen whether maintaining this list will be maintenance
> chore. If it proves to be then we may just have to do something special
> for jsse.jar to avoid needing to update the file when new dependencies
> are introduced. For now I propose to just update refs.allowed to get the
> profile build working again. The proposed diffs are attached.
> -Alan
> diff --git a/make/tools/src/build/tools/deps/refs.allowed
> b/make/tools/src/build/tools/deps/refs.allowed
> --- a/make/tools/src/build/tools/deps/refs.allowed
> +++ b/make/tools/src/build/tools/deps/refs.allowed
> @@ -13,10 +13,11 @@
> javax.security.auth.kerberos.KerberosKey=sun.security.ssl.krb5.KerberosClientKeyExchangeImpl,sun.security.ssl.krb5.Krb5ProxyImpl,compact1,compact2
> javax.security.auth.kerberos.KerberosPrincipal=sun.security.ssl.krb5.KerberosClientKeyExchangeImpl,sun.security.ssl.krb5.Krb5ProxyImpl,compact1,compact2
> javax.security.auth.kerberos.KerberosTicket=sun.security.ssl.krb5.KerberosClientKeyExchangeImpl,sun.security.ssl.krb5.KerberosClientKeyExchangeImpl,compact1,compact2
> +javax.security.auth.kerberos.KeyTab=sun.security.ssl.krb5.Krb5ProxyImpl,compact1,compact2
> javax.security.auth.kerberos.ServicePermission=sun.security.ssl.krb5.KerberosClientKeyExchangeImpl,sun.security.ssl.krb5.Krb5ProxyImpl,compact1,compact2
> sun.security.jgss.GSSCaller=sun.security.ssl.krb5.KerberosClientKeyExchangeImpl,sun.security.ssl.krb5.Krb5ProxyImpl,compact1,compact2
> sun.security.jgss.krb5.Krb5Util=sun.security.ssl.krb5.KerberosClientKeyExchangeImpl,sun.security.ssl.krb5.Krb5ProxyImpl,compact1,compact2
> -sun.security.jgss.krb5.ServiceCreds=sun.security.ssl.krb5.Krb5ProxyImpl,compact1,compact2
> +sun.security.jgss.krb5.ServiceCreds=sun.security.ssl.krb5.Krb5ProxyImpl,sun.security.ssl.krb5.KerberosClientKeyExchangeImpl,compact1,compact2
> sun.security.krb5.EncryptedData=
> sun.security.ssl.krb5.KerberosPreMasterSecret,sun.security.ssl.krb5.KerberosClientKeyExchangeImpl,compact1,compact2
> sun.security.krb5.EncryptionKey=sun.security.ssl.krb5.KerberosPreMasterSecret,sun.security.ssl.krb5.KerberosClientKeyExchangeImpl,compact1,compact2
> sun.security.krb5.internal.crypto.KeyUsage=sun.security.ssl.krb5.KerberosPreMasterSecret,sun.security.ssl.krb5.KerberosClientKeyExchangeImpl,compact1,compact2

More information about the build-dev mailing list