JDK-8159752 : Grant de-privileged module permissions by default with java.security.policy override option
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 9
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2016-06-16
  • Updated: 2019-03-19
  • Resolved: 2016-07-29
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
9 b130Fixed
Related Reports
Blocks :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Sub Tasks
JDK-8161307 :  
JDK-8040059 changes the default policy for the deprivileged modules (those defined to the platform class loader) to enable granting specific permissions rather than AllPermission.

Setting -Djava.security.policy==override.policy with double equals sign overrides the system security policy that may not work in JDK 9 if the application uses any deprivileged modules. 

Weblogic tests happens to override the security policy with double equals while it is unclear whether it is intended to override than augmenting.

This issue is created to re-evaluate the compatibility risk for JDK-8040059.  The platform class loader only defines JDK modules and JavaFX modules.   One reasonable change may be to separate the security policy for the system modules from ${JAVA_HOME}/conf/security/java.policy.   It should always grant the policy for the system modules unless the same code source is specified in java.policy (either the system-wide one or the one specified in java.security.policy system property)
One possible approach is to modularize java.policy. Each module can contain src/$MODULE/share/conf/security/java.policy or src/$MODULE/$OS/conf/security/java.policy It should only contain the entry for that module. It will be included in JMOD file. At link time, they should be concatenated to create $JAVA_HOME/conf/security/java.policy - this will solve the problem with the image���s java.policy containing extra entries. During exploded build, it can generate $JAVA_HOME/conf/security/java.policy (not part of any JMOD file) by concatenating java.policy for all modules with patching the code source to replace ���jrt:��� with ���${java.home}/lib/modules/��� something. At runtime, for non-override case, ${JAVA_HOME}/conf/security/java.policy will be read. For the override case -Djava.security.policy==<override.policy>, <override.policy> will be read first. It then uses ModuleReader to read $MODULE/conf/security/java.policy from the image and parse them in the same way as the augmenting case, if no such code source is specified in <override.policy>.