Hi Sean,
Sorry I've confused you.
What I should have said is a ProtectionDomain with a null CodeSource.
What I mean to ask is, where ProtectionDomain is created with a null
CodeSource, in Class::getProtectionDomain() can we have CodeSource's
that represents system modules instead of null?
A CodeSource with URL's like jrt:/jdk.* or jrt:/java.* for system modules?
Hopefully my comments below will make a little more sense now.
Regards,
Peter.
On 10/06/2021 1:07 am, Sean Mullan wrote:
On 6/8/21 9:35 PM, Peter Firmstone wrote:
I would also like to request that all JDK modules be given
ProtectionDomain's following SecurityManager deprecation. Currently
some modules have null ProtectionDomain's to show they have
AllPermission. However we don't grant AllPermission to code in
practise, we like to grant certain Permission's to Principal's, not
code, where the Principal is the source of data, indicating the user
has been authenticated and we only grant what's necessary and no more.
As described in JEP 411, there are no plans to deprecate
ProtectionDomain at this time.
--Sean
