On 14/06/2017 16:11, Mandy Chung wrote:
http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8182137/webrev.00/
java.xml.bind and java.xml.ws modules are deprivileged and granted with specific
permissions since jdk-9+51. JAXB and JAX-WS tests were ran and found no regressions when
security manager is enabled. It is recently uncovered that FilePermission is missing
from JAXB and RuntimePermission("createClassLoader") is missing from JAX-WS.
We have uncovered that the test policy file used by JAXB and JAX-WS tests grant
permissions to the default code source that masks this problem.
At this late stage in JDK 9, we propose to grant java.xml.bind and
java.xml.bind with AllPermissions which is same as JDK 8. These modules are
still deprivileged and defined to the platform class loader.
Sigh, this is sad as there was a lot of effort put in by the EE folks to
get this code running with reduced permissions. Hopefully the tests can
be fixed and this issue revised some day. The changes look okay for now.
In passing, can the jdk.incurbator.httpclient be dropped from the policy
file as it is not granted any permissions.
-Alan
