On 15/02/2017 16:01, Daniel Fuchs wrote:
In that specific case it's not java.base that depends
on java.security.jgss, but the application itself.
So I would expect the application code to either require
java.security.jgss, or some higher level module for that
itself requires java.security.jgss, or jlink to be run with
command line options that explicitly add java.security.jgss
to the image.
java.security.jgss exports an API so it will be resolved by default when
the initial class is loaded from the class path. In addition, it
provides a SecurityProvider implementation and so will be resolved
because java.base `uses java.security.Provider`. For the jlink case then
you are right, it needs someone to know that the application might need
to do SPNEGO authentication.
In any case, it's an example of how not to do things, and hopefully it
will be cleaned up at some point.
-Alan
