JDK-6899533 : SecureClassLoader and URLClassLoader have unnecessary check for createClassLoader permission
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2009-11-09
  • Updated: 2018-09-18
  • Resolved: 2018-09-07
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 12
12 b11Fixed
Related Reports
Blocks :  
Blocks :  
Duplicate :  
SecurityClassLoader and URLClassLoader have unnecessary security checks.

protected SecureClassLoader() {
    // this is to make the stack depth consistent with 1.1
    SecurityManager security = System.getSecurityManager();
    if (security != null) {
    initialized = true;

1.1 security managers are no longer supported (see JDK-8186535). The permission check is done by the super class, ClassLoader. The initialized flag and associated code can also be removed -- this was only necessary before JDK 6 (see JSCG 4-5 for more info).
The seemingly-redundant check is needed by 1.1 SecurityManager implementations. APIs for 1.1 Security Manager are deprecated and will be removed in next release (jdk10). So, we will defer this and remove these checks as soon as the 1.1 SecurityManager APIs are removed.