On Wed, Feb 15, 2017 at 5:16 PM, Alan Bateman <alan.bate...@oracle.com> wrote: > On 15/02/2017 16:01, Daniel Fuchs wrote: > >> >> In that specific case it's not java.base that depends >> on java.security.jgss, but the application itself. >> >> So I would expect the application code to either require >> java.security.jgss, or some higher level module for that >> itself requires java.security.jgss, or jlink to be run with >> command line options that explicitly add java.security.jgss >> to the image. > > java.security.jgss exports an API so it will be resolved by default when the > initial class is loaded from the class path. In addition, it provides a > SecurityProvider implementation and so will be resolved because java.base > `uses java.security.Provider`. For the jlink case then you are right, it > needs someone to know that the application might need to do SPNEGO > authentication. > > In any case, it's an example of how not to do things, and hopefully it will > be cleaned up at some point. >
Daniel, Alan, thanks for the clarification. I didn't wanted to blame anybody - just looking for good arguments to prevent such code in our version of the JDK :) > -Alan > >