> On Jun 14, 2017, at 8:18 AM, Alan Bateman <alan.bate...@oracle.com> wrote: > > On 14/06/2017 16:11, Mandy Chung wrote: >> http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8182137/webrev.00/ >> >> java.xml.bind and java.xml.ws modules are deprivileged and granted with >> specific permissions since jdk-9+51. JAXB and JAX-WS tests were ran and >> found no regressions when security manager is enabled. It is recently >> uncovered that FilePermission is missing from JAXB and >> RuntimePermission("createClassLoader") is missing from JAX-WS. We have >> uncovered that the test policy file used by JAXB and JAX-WS tests grant >> permissions to the default code source that masks this problem. >> >> At this late stage in JDK 9, we propose to grant java.xml.bind and >> java.xml.bind with AllPermissions which is same as JDK 8. These modules are >> still deprivileged and defined to the platform class loader. >> > Sigh, this is sad as there was a lot of effort put in by the EE folks to get > this code running with reduced permissions. Hopefully the tests can be fixed > and this issue revised some day. The changes look okay for now.
I wish this was uncovered earlier. I have suggested the team to run the tests with the fixed test policy and identify the complete set of permissions. > In passing, can the jdk.incurbator.httpclient be dropped from the policy file > as it is not granted any permissions. This is what I was about to check why this entry was added in the first place before I drop it. It should not be needed. Any one wants to grant permissions to jdk.incubator.httpclient can add to java.policy. Mandy
