On Sun, 5 May 2024 12:05:48 GMT, Raffaello Giulietti <rgiulie...@openjdk.org> wrote:
>> src/java.base/share/classes/java/util/random/RandomGeneratorFactory.java >> line 147: >> >>> 145: >>> FactoryMapHolder.class.getModule().addUses(RandomGenerator.class); >>> 146: return ServiceLoader >>> 147: .load(RandomGenerator.class, >>> ClassLoader.getPlatformClassLoader()) >> >> SecurityManager is still a supported execution mode so you'll need to get >> the platform class loader in a privileged block until the SM feature is >> removed. > > Yes, I considered the interactions with a security manager. > > But here the call to `getPlatformClassLoader()` is done from a platform > class, namely `FactoryMapHolder` itself. According to its documentation, the > call succeeds in this case because the security manager is not even consulted. > > When experimenting with the following code and the default manager, as with > `-Djava.security.manager=default`, no exceptions are thrown, neither with the > full JDK nor with the minimal image that just includes `java.base`. There's > only a warning about future removal of `SecurityManager`, as expected from > JEP 411. > > > import java.util.random.*; > > public class Foo { > public static void main(final String[] args) throws Exception { > RandomGeneratorFactory.all().forEach(g -> > System.out.println(g.name())); > final RandomGeneratorFactory<RandomGenerator> rgf = > RandomGeneratorFactory.getDefault(); > System.out.println("Got " + rgf); > } > } > > > But if the call to `getPlatformClassLoader()` is done directly from an app > loaded by the system class loader, then an exception is thrown when the > default security manager is active. Thanks, I'd forgotten the check in that method is caller sensitive. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/18932#discussion_r1590318688