JDK-8021257 : com.sun.corba.se.** should be on restricted package list
  • Type: Bug
  • Component: other-libs
  • Sub-Component: corba
  • Affected Version: 7-pool,8
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2013-07-24
  • Updated: 2017-05-17
  • Resolved: 2013-10-22
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other Other JDK 6 JDK 7 JDK 8
5.0u61Fixed 5.0u65Fixed 6u71Fixed 7u51Fixed 8 b115Fixed
Related Reports
Relates :  
JDK-8000450 - Restrict access to com/sun/corba/se/impl package.
Relates :  
JDK-8028215 - ORB.init fails with SecurityException if properties select the JDK default ORB
Description
If com.sun.corba.se.impl packages are to be restricted, then a review of all calling sites into such packages needs to be carried out. The initial attempt (JDK-8000450) was unsuccessful. JCK testing found issue when security manager was installed. 

The original ORB.init issue can be resolved easily but that fix highlighted more issues : 
i.e : 
java.lang.NoClassDefFoundError: Could not initialize class com.sun.corba.se.impl.ior.iiop.MaxStreamFormatVersionComponentImpl
    at com.sun.corba.se.spi.ior.iiop.IIOPFactories.makeMaxStreamFormatVersionComponent(IIOPFactories.java:174)
    at com.sun.corba.se.impl.transport.SocketOrChannelAcceptorImpl.addToIORTemplate(SocketOrChannelAcceptorImpl.java:361)
    at com.sun.corba.se.impl.transport.CorbaTransportManagerImpl.addToIORTemplate(CorbaTransportManagerImpl.java:238)

==

Each call creating a new instance of com.sun.corba.se.impl.* objects needs to be checked. Once that code is corrected, we can add the private com.sun.corba.se.impl.* packages to the restricted list.
Comments
SQE completed PIT testing with the 7u-CPU nightly build: http://st2.ru.oracle.com/StatusTool2/faces/queryresult2.jsp?matrix_id=1000027128 No new failures. SQE OK to take the fix into CPU14_01.
01-11-2013
currently looking at restricting com.sun.corba.**, as suggested by Alan modified ORB.init to only use reflection for "external" ORB class, and instantiate SE ORB class directly. javax.rmi.CORBA.Util delegate also instantiates the SE default delegate directly. Reflection used only for "external" delegate class. JCK (org_omg, jaxa_rmi, javax_rmi, javax_naming, javax_management) look ok, currently running the CORBA test suite.
14-10-2013