Thanks Mandy, replies inline... ----- Original message ----- > > > On 3/21/2015 5:12 AM, Peter Firmstone wrote: > > Just wondering, with the removal of the extensions directory, what's > > the correct way of specifying a policy provider? > > > > We currently have a number of nested policy providers that are loaded > > by the extension classloader. > > Do you set the custom policy provider by setting -Dpolicy.provider > system property?
Yes, and also defining the extension dirs property. Our providers pre date the SPI mechanism; they have additional methods for dynamic permission grants, so can't use the spi unfortunately. > > One suggested way is to put the providers on -classpath and loaded > by the application class loader. I haven't tried it yet; our providers were written by Sun, the same people that worked on the JVM. I suspect the reason for using the extension classloader was to avoid circular execution paths that cause stack overflow errors. I'll give the application classloader a shot and get back to you. P.S. Our providers don't use CodeSource.implies, we have other mechanisms that use RFC3986 compliant URI; so we already have compatibility with the new jrt URL scheme. The new jrt scheme will also benefit our software by removing local file paths from class resolution. > > There are some SPIs that need adjustment to support loading the > providers by the application class loader and the policy SPI > should also be updated in JDK 9. I'm including the security lead > Sean Mullan to recommend other ways. > > Mandy >