JDK-8210617 : Standalone javafx modules no longer have permissions by default
  • Type: Bug
  • Component: javafx
  • Sub-Component: other
  • Affected Version: openjfx11
  • Priority: P3
  • Status: Closed
  • Resolution: Not an Issue
  • Submitted: 2018-09-11
  • Updated: 2022-11-01
  • Resolved: 2018-09-11
Related Reports
Relates :  
JDK-8210622 - Release Note: Swing interop fails when run with a security manager with standalone SDK
Relates :  
JDK-8198329 - Support FX build / test using JDK that doesn't include javafx.* modules
Relates :  
JDK-8202451 - Swing interop fails when run with a security manager with standalone SDK
Sub Tasks
JDK-8210618 :  
Release Note: Standalone javafx modules no longer have permissions by default - Resolved
Description
The javafx.* modules are now loaded by the application class loader and no longer have permissions by default. In order for applications to run with a security manager, it is necessary to grant AllPermission to the javafx.* modules.

This is a natural consequence of the fact that the javafx.* modules are no longer part of the JDK.

Specifically, the following will fail:

java -Djava.security.manager --module-path javafx-sdk-11/lib --add-modules javafx.graphics hello.HelloRectangle

Exception in thread "main" java.lang.ExceptionInInitializerError
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at java.base/sun.launcher.LauncherHelper$FXHelper.main(LauncherHelper.java:1051)
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "javafx.verbose" "read")
	at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.base/java.security.AccessController.checkPermission(AccessController.java:895)
	at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
	at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066)
	at java.base/java.lang.System.getProperty(System.java:810)
	at java.base/java.lang.Boolean.getBoolean(Boolean.java:265)
	at javafx.graphics/com.sun.javafx.application.LauncherImpl.lambda$static$0(LauncherImpl.java:122)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at javafx.graphics/com.sun.javafx.application.LauncherImpl.<clinit>(LauncherImpl.java:121)
	... 5 more

This used to work in Oracle's JDK 10, which included javafx modules in the JDK runtime image.
Comments
This is not a bug, but is a change in behavior that is expected. Applications that want to run with a security manager enabled will need to specify a custom policy file, using "-Djava.security.policy", granting all permissions to the javafx.* modules. The custom policy file might look something like this, but using an absolute path to specify the location of the jar file. grant codeBase "file:javafx-sdk-11/lib/javafx.base.jar" { permission java.security.AllPermission; }; grant codeBase "file:javafx-sdk-11/lib/javafx.controls.jar" { permission java.security.AllPermission; }; grant codeBase "file:javafx-sdk-11/lib/javafx.fxml.jar" { permission java.security.AllPermission; }; grant codeBase "file:javafx-sdk-11/lib/javafx.graphics.jar" { permission java.security.AllPermission; }; grant codeBase "file:javafx-sdk-11/lib/javafx.media.jar" { permission java.security.AllPermission; }; grant codeBase "file:javafx-sdk-11/lib/javafx.swing.jar" { permission java.security.AllPermission; }; grant codeBase "file:javafx-sdk-11/lib/javafx.web.jar" { permission java.security.AllPermission; };
12-09-2018