On Sun, 5 May 2024 12:05:48 GMT, Raffaello Giulietti <rgiulie...@openjdk.org>
wrote:
>> src/java.base/share/classes/java/util/random/RandomGeneratorFactory.java
>> line 147:
>>
>>> 145:
>>> FactoryMapHolder.class.getModule().addUses(RandomGenerator.class);
>>> 146: return ServiceLoader
>>> 147: .load(RandomGenerator.class,
>>> ClassLoader.getPlatformClassLoader())
>>
>> SecurityManager is still a supported execution mode so you'll need to get
>> the platform class loader in a privileged block until the SM feature is
>> removed.
>
> Yes, I considered the interactions with a security manager.
>
> But here the call to `getPlatformClassLoader()` is done from a platform
> class, namely `FactoryMapHolder` itself. According to its documentation, the
> call succeeds in this case because the security manager is not even consulted.
>
> When experimenting with the following code and the default manager, as with
> `-Djava.security.manager=default`, no exceptions are thrown, neither with the
> full JDK nor with the minimal image that just includes `java.base`. There's
> only a warning about future removal of `SecurityManager`, as expected from
> JEP 411.
>
>
> import java.util.random.*;
>
> public class Foo {
> public static void main(final String[] args) throws Exception {
> RandomGeneratorFactory.all().forEach(g ->
> System.out.println(g.name()));
> final RandomGeneratorFactory<RandomGenerator> rgf =
> RandomGeneratorFactory.getDefault();
> System.out.println("Got " + rgf);
> }
> }
>
>
> But if the call to `getPlatformClassLoader()` is done directly from an app
> loaded by the system class loader, then an exception is thrown when the
> default security manager is active.
Thanks, I'd forgotten the check in that method is caller sensitive.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18932#discussion_r1590318688
