JDK-8040059 : Change default policy for extensions to no permission
  • Type: Enhancement
  • Component: security-libs
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2014-04-13
  • Updated: 2017-05-17
  • Resolved: 2014-05-09
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 9
9 b14Fixed
Related Reports
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Description
This RFE proposes to remove granting all permissions for extensions (principle of least privilege).  Also in JDK 9, we want to separate the privileges of as many system classes as possible.

Permissions for each JAR file shipped in the JDK's extension directory will be explicitly granted with all permission initially.  This will allow each component team to identify minimum permissions required by each component and update the java.policy file accordingly.   New tests will possibly be developed in this privilege separation effort.

The default policy for extensions is configured in the java.policy and it's granted with all permissions by default as specified in: http://docs.oracle.com/javase/8/docs/technotes/guides/extensions/spec.html.  Customers installing libraries on extensions that require all permissions will need to update the java.policy for JDK 9 to explicitly specify that.
Comments
I filed https://javafx-jira.kenai.com/browse/RT-36848 to track adding an entry for jfxrt.jar in the java.policy file so JavaFX application will continue to run with a security manager.
25-04-2014