If com.sun.corba.se.impl packages are to be restricted, then a review of all calling sites into such packages needs to be carried out. The initial attempt (JDK-8000450) was unsuccessful. JCK testing found issue when security manager was installed.
The original ORB.init issue can be resolved easily but that fix highlighted more issues :
i.e :
java.lang.NoClassDefFoundError: Could not initialize class com.sun.corba.se.impl.ior.iiop.MaxStreamFormatVersionComponentImpl
at com.sun.corba.se.spi.ior.iiop.IIOPFactories.makeMaxStreamFormatVersionComponent(IIOPFactories.java:174)
at com.sun.corba.se.impl.transport.SocketOrChannelAcceptorImpl.addToIORTemplate(SocketOrChannelAcceptorImpl.java:361)
at com.sun.corba.se.impl.transport.CorbaTransportManagerImpl.addToIORTemplate(CorbaTransportManagerImpl.java:238)
==
Each call creating a new instance of com.sun.corba.se.impl.* objects needs to be checked. Once that code is corrected, we can add the private com.sun.corba.se.impl.* packages to the restricted list.