Summary

Specify the protected PermissionCollection getPermissions(CodeSource codesource) method on java.net.URLClassLoader to return an empty java.security.PermissionCollection.

Problem

The protected getPermissions() method on URLClassLoader was specified to return a java.security.PermissionCollection with permissions applicable for the given java.security.CodeSource, in addition to the permissions returned by super.getPermissions(). JEP 486 (https://openjdk.org/jeps/486) permanently disabled the SecurityManager implementation. With the SecurityManager no longer available, the Permissions returned by getPermissions() method are no longer relevant.

Solution

The URLClassLoader.getPermissions(CodeSource) method will be specified to return an empty PermissionCollection. A consequence of this change is that any Class loaded by an URLClassLoader will now have a java.security.ProtectionDomain with empty PermissionCollection. Thus Class.getProtectionDomain().getPermissions() will now return an empty PermissionCollection for such classes.

Specification

Any Class loaded by a URLClassLoader will have its ProtectionDomain return an empty PermissionCollection.

Additionally, the URLClassLoader.getPermissions() will be specified as follows:

src/java.base/share/classes/java/net/URLClassLoader.java
/**
 * {@return an {@linkplain PermissionCollection empty Permission collection}}
 *
 * @param codesource the {@code CodeSource}
 * @throws NullPointerException if {@code codesource} is {@code null}.
 */
@Override
protected PermissionCollection getPermissions(CodeSource codesource) {
    Objects.requireNonNull(codesource);
    return new Permissions();
}