JDK-8098169 : Add lib/ext/jfxrt.jar to java.policy file
  • Type: Enhancement
  • Component: javafx
  • Sub-Component: build
  • Affected Version: 9
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2014-04-25
  • Updated: 2015-06-17
  • Resolved: 2014-05-09
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8u20Fixed 9Fixed
Related Reports
Relates :  
JDK-8092808 - Wrong filenames in javafx-java.policy file for embedded
Relates :  
JDK-8088252 - Fix SandBoxAppTest unit test to work with XPatch
Description
The default security policy for jar files in lib/ext is changing in JDK 9 to not grant all permisisons by default. See https://bugs.openjdk.java.net/browse/JDK-8040059 for more details.

In order for the JavaFX runtime to continue to run when a security manager is present, we will need to add the following to the java.policy file in the JRE at build time:

grant codeBase "file:${java.home}/lib/ext/jfxrt.jar" {
        permission java.security.AllPermission;
};
Comments
I also filed the following bug to fix the unit tests which will start failing once we run our build / test with JDK 9 (which won't be for a while): RT-37056.
09-05-2014
The javafx-java.policy file was delivered in FX 9-b12 (and also 8u20-b13, since we have a shared codebase, but the file is unused in 8u20). I have filed the following follow-up issues to modify the JDK build to pick up the new file and append its contents to java.policy: https://bugs.openjdk.java.net/browse/JDK-8042869 https://bugs.openjdk.java.net/browse/JDK-8042868 Additionally, I have filed the following bug to correct the contents of the file for embedded builds: RT-37055
09-05-2014
The changeset above looks fine. Approved.
05-05-2014
I will also file a follow-on issue to fix the sandbox.SandboxAppTest unit test, which will start failing in JDK 9 after this change goes in (we can wait to fix it until then, since this only affects our nightly system tests, which are currently run only manually).
04-05-2014
I pushed a changeset to 8u/dev to add a javafx-java.policy file to the export bundles, which contains the additional entry to java.policy to grant all permissions to jfxrt.jar This will be propagated to next week's 8u20 and 9 FX builds. The following still needs to be done (in 9 only). 1) Changes are needed on the RE side to make this file available to the java build. 2) The java install Makefile will need to take this file and concatenate it to lib/security/java.policy at build time. I will file new JIRA issues for these on Monday.
04-05-2014
Note that we will also likely need to modify some of our unit tests that run with a security manager installed. Some of them use -Djava.ext.dirs= to run a jfxrt.jar file from the FX build, so we will need to add a policy file entry with the correct path to the jar file in order to run these tests.
01-05-2014