If com.sun.corba.se.impl packages are to be restricted, then a review of all calling sites into such packages needs to be carried out. The initial attempt (JDK-8000450) was unsuccessful. JCK testing found issue when security manager was installed.
The original ORB.init issue can be resolved easily but that fix highlighted more issues :
java.lang.NoClassDefFoundError: Could not initialize class com.sun.corba.se.impl.ior.iiop.MaxStreamFormatVersionComponentImpl
Each call creating a new instance of com.sun.corba.se.impl.* objects needs to be checked. Once that code is corrected, we can add the private com.sun.corba.se.impl.* packages to the restricted list.
currently looking at restricting com.sun.corba.**, as suggested by Alan
modified ORB.init to only use reflection for "external" ORB class, and instantiate
SE ORB class directly. javax.rmi.CORBA.Util delegate also instantiates the
SE default delegate directly. Reflection used only for "external" delegate class.
JCK (org_omg, jaxa_rmi, javax_rmi, javax_naming, javax_management) look ok,
currently running the CORBA test suite.
SQE completed PIT testing with the 7u-CPU nightly build:
No new failures. SQE OK to take the fix into CPU14_01.
Date: 2013-11-05 20:13:31 +0000
Date: 2013-11-05 21:09:17 +0000