On 4/22/14 2:54 PM, Bernd Eckenfels wrote:
Hello,
I do like to restrict the permissions granted, especially for client
deployments.
in a related note: why is JavaFX shipped by default as an extension?
JavaFX is coinstalled with Oracle JDK and not in the OpenJDK. I will
take out jfxrt.jar from the java.policy and the build should augment the
system java.policy with any cobundled/coinstalled components.
Thanks for bringing up this question. I missed to mention the open
question to follow up how we want to build the system java.policy.
There are platform-specific jar file and also different jar files in
Oracle JDK build. I currently list them all in java.policy in this
initial patch. One solution is to have one version of java.policy for
each OS. However this will suffer from the maintenance burden and also
error-prone as the current java.security file. I'd like to get the
feedback from the security team before attempting to modify the makefiles.
Or better asked, how is the admin in the future supposed to maintain a
minimum JRE? Randomly deleting extension jars? Would it be better to
ship the JAR only in a dir where they CAN be added to the classpath,
but are not by default (similiar to javadb/derby).
Jigsaw/Modularity would be the answer and that will allow you to install
the modules you want.
JFX is not built with OpenJDK. Are you questioning why JavaFX is
coinstalled with Oracle JDK?
Mandy
Gruss
Bernd
Am Tue, 22 Apr 2014 12:39:57 -0700
schrieb Mandy Chung <mandy.ch...@oracle.com>:
This change proposes to remove granting all permissions for
extensions as the default and implements the principle of least
privilege.In JDK 9, we want to reduce the privileges of as many
system classes as possible.
http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8040059/webrev.00/
This patch has reduced the zipfs, localedata and cldrdata to grant
the permissions they require. It grants AllPermission to other jar
files in the lib/ext directory shipped with JDK and this change is
intended to enable the component teams to identify the minimum
permissions and fix any issue, if any.
Libraries installed in the extensions directory depending on
AllPermission granted by default are impacted. Making this change
as early in JDK 9 allows us to identify any customer impacted by this
change.
Mandy
