Review request 8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader

Mandy Chung mandy.chung at
Mon Jan 26 19:23:17 UTC 2015

This patch proposes to move, java.xml.bind, java.activation 
out of the boot loader and be loaded by the extension class loader.  We 
grant and java.xml.bind the minimum set of permissions.  
java.activation hasAllPermission for now and that can be revised in the 
future when JAF team identifies the permission set required java.activation.

Miroslav - can you confirm if the JAX-WS and JAXB standalone tests pass 
with this patch?

Existing code that assumes the defining class loader of JAX-WS, JAXB, 
JAF classes may be impacted by this change (e.g. the class loader 
delegation to the bootstrap class loader skipping the extension class 
loader).  They are standalone technologies that used to be loaded by 
non-null class loader before they were included in Java SE.  It should 
be rare of such dependency. Callbacks may assume and 
java.xml.bind classes to have AllPermissions so that when running with 
security manager, if the permission required for callback is not part of 
the permission set granted to and java.xml.bind, 
SecurityException will be thrown.  We need customer testings to identify 
this callback permission case and revisit if they should be granted with 
AllPermission for JDK 9.


More information about the core-libs-dev mailing list