The "stopThread” RuntimePermission is granted by default. The Thread.stop methods have been deprecated for more than 15 years. It seems reasonable, in a major release, to remove the default grant of stopThread. diff --git a/src/java.base/share/conf/security/java.policy b/src/java.base/share/conf/security/java.policy --- a/src/java.base/share/conf/security/java.policy +++ b/src/java.base/share/conf/security/java.policy @@ -94,17 +94,6 @@ // default permissions granted to all domains grant { - // Allows any thread to stop itself using the java.lang.Thread.stop() - // method that takes no argument. - // Note that this permission is granted by default only to remain - // backwards compatible. - // It is strongly recommended that you either remove this permission - // from this policy file or further restrict it to code sources - // that you specify, because Thread.stop() is potentially unsafe. - // See the API specification of java.lang.Thread.stop() for more - // information. - permission java.lang.RuntimePermission "stopThread"; - As a result of this change, untrusted code calling Thread.stop will throw a SecurityException, as it will not have the required permission. The solution, from the deployers perspective, is to add "stopThread” RuntimePermission to the policy file.
-Chris.