Summary

java.net.URLClassLoader will no longer support the jdk.net.URLClassPath.disableRestrictedPermissions system property.

Problem

URLClassLoader uses a list of java.net.URLs for finding and loading classes. These URLs are provided by an application when constructing the URLClassLoader. When finding and loading a Class from any of these URLs, the internal implementation of the URLClassLoader, in the presence of a SecurityManager, used to perform security checks against those URLs. A failed security check would raise an exception during the loading of a Class.

In Java 9, a JDK specific system property was introduced named jdk.net.URLClassPath.disableRestrictedPermissions. This system property hasn't been documented and is unspecified.

In the implementation of URLClassLoader, this system property was used to decide the type of the exception that would be raised when class loading fails due to a SecurityException raised by the SecurityManager implementation. By default, when not set, the URLClassLoader would throw the java.lang.ClassNotFoundException for such failures. To support some older installations and for backward compatibility, the system property could be set by applications to a value "true" or an empty string to indicate that java.lang.SecurityException should be thrown instead of the ClassNotFoundException. The sole purpose of this system property was to support the unlikely case where existing applications were expecting a SecurityException for such cases.

With the removal of SecurityManager implementation, this system property is no longer relevant.

Solution

The URLClassLoader will no longer look for or support the jdk.net.URLClassPath.disableRestrictedPermissions system property. As a result, this system property will no longer play any role in the exception type of the exception that gets raised when a class cannot be loaded by the URLClassLoader.

Specification

None.