changeset 25408:27563093d2d2

8043406: Change default policy for JCE providers to run with as few privileges as possible Summary: Provide default permissions for crypto providers Reviewed-by: mullan, vinnie
author valeriep
date Thu, 10 Jul 2014 22:44:58 +0000
parents 63b91a5b8d1f
children ce5485fce3d2
files jdk/src/share/classes/sun/security/jca/ProviderConfig.java jdk/src/share/lib/security/java.policy jdk/src/windows/lib/security/java.policy jdk/test/java/io/Serializable/subclassGC/security.policy jdk/test/java/lang/System/System.policy jdk/test/java/net/URLPermission/policy.1 jdk/test/java/net/URLPermission/policy.2 jdk/test/java/net/URLPermission/policy.3 jdk/test/java/nio/charset/spi/default-pol jdk/test/java/rmi/activation/Activatable/checkActivateRef/security.policy jdk/test/java/rmi/activation/Activatable/checkAnnotations/security.policy jdk/test/java/rmi/activation/Activatable/checkImplClassLoader/security.policy jdk/test/java/rmi/activation/Activatable/checkRegisterInLog/security.policy jdk/test/java/rmi/activation/Activatable/createPrivateActivable/security.policy jdk/test/java/rmi/activation/Activatable/downloadParameterClass/security.policy jdk/test/java/rmi/activation/Activatable/elucidateNoSuchMethod/security.policy jdk/test/java/rmi/activation/Activatable/extLoadedImpl/security.policy jdk/test/java/rmi/activation/Activatable/forceLogSnapshot/security.policy jdk/test/java/rmi/activation/Activatable/inactiveGroup/security.policy jdk/test/java/rmi/activation/Activatable/nestedActivate/security.policy jdk/test/java/rmi/activation/Activatable/nonExistentActivatable/security.policy jdk/test/java/rmi/activation/Activatable/restartCrashedService/security.policy jdk/test/java/rmi/activation/Activatable/restartLatecomer/security.policy jdk/test/java/rmi/activation/Activatable/restartService/security.policy jdk/test/java/rmi/activation/Activatable/shutdownGracefully/security.policy jdk/test/java/rmi/activation/Activatable/unregisterInactive/security.policy jdk/test/java/rmi/activation/ActivationSystem/activeGroup/security.policy jdk/test/java/rmi/activation/ActivationSystem/modifyDescriptor/security.policy jdk/test/java/rmi/activation/ActivationSystem/unregisterGroup/security.policy jdk/test/java/rmi/activation/CommandEnvironment/security.policy jdk/test/java/rmi/dgc/VMID/security.policy jdk/test/java/rmi/dgc/dgcImplInsulation/security.policy jdk/test/java/rmi/registry/classPathCodebase/security.policy jdk/test/java/rmi/server/RMIClassLoader/delegateToContextLoader/security.policy jdk/test/java/rmi/server/RMIClassLoader/downloadArrayClass/security.policy jdk/test/java/rmi/server/RMIClassLoader/getClassLoader/security.policy jdk/test/java/rmi/server/RMIClassLoader/loadProxyClasses/security.policy jdk/test/java/rmi/server/RMIClassLoader/spi/security.policy jdk/test/java/rmi/server/RMIClassLoader/useCodebaseOnly/security.policy jdk/test/java/rmi/server/RMIClassLoader/useGetURLs/security.policy jdk/test/java/rmi/server/RMISocketFactory/useSocketFactory/activatable/security.policy jdk/test/java/rmi/server/RMISocketFactory/useSocketFactory/registry/security.policy jdk/test/java/rmi/server/RMISocketFactory/useSocketFactory/unicast/security.policy jdk/test/java/rmi/server/RemoteServer/setLogPermission/java.policy jdk/test/java/rmi/server/clientStackTrace/security.policy jdk/test/java/rmi/server/useCustomRef/security.policy jdk/test/java/rmi/transport/checkLeaseInfoLeak/security.policy jdk/test/java/rmi/transport/dgcDeadLock/security.policy jdk/test/java/rmi/transport/httpSocket/security.policy jdk/test/java/security/KeyRep/Serial.policy jdk/test/java/security/KeyRep/SerialOld.policy jdk/test/java/security/Policy/GetInstance/GetInstance.policy jdk/test/java/security/Policy/GetInstance/GetInstance.policyURL jdk/test/java/security/Policy/GetInstance/GetInstanceSecurity.policy jdk/test/java/security/Security/AddProvider.policy.1 jdk/test/java/security/Security/AddProvider.policy.2 jdk/test/java/security/Security/AddProvider.policy.3 jdk/test/java/security/Security/removing/RemoveStaticProvider.policy jdk/test/javax/security/auth/login/Configuration/GetInstanceSecurity.grantedPolicy jdk/test/javax/security/auth/login/Configuration/GetInstanceSecurity.policy jdk/test/jdk/nio/zipfs/test.policy jdk/test/sun/net/www/http/HttpClient/IsKeepingAlive.policy jdk/test/sun/net/www/http/HttpClient/OpenServer.policy jdk/test/sun/rmi/server/MarshalOutputStream/marshalForeignStub/security.policy jdk/test/sun/security/pkcs11/KeyStore/Basic.policy jdk/test/sun/security/pkcs11/Provider/Login.policy jdk/test/sun/security/provider/PolicyFile/Alias.policy jdk/test/sun/security/provider/PolicyFile/AliasExpansion.policy jdk/test/sun/security/provider/PolicyFile/TrustedCert.policy
diffstat 69 files changed, 284 insertions(+), 268 deletions(-) [+]
line wrap: on
line diff
--- a/jdk/src/share/classes/sun/security/jca/ProviderConfig.java	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/src/share/classes/sun/security/jca/ProviderConfig.java	Thu Jul 10 22:44:58 2014 +0000
@@ -255,6 +255,14 @@
                         disableLoad();
                     }
                     return null;
+                } catch (ExceptionInInitializerError err) {
+                    // no sufficient permission to initialize provider class
+                    if (debug != null) {
+                        debug.println("Error loading provider " + ProviderConfig.this);
+                        err.printStackTrace();
+                    }
+                    disableLoad();
+                    return null;
                 }
             }
         });
--- a/jdk/src/share/lib/security/java.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/src/share/lib/security/java.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -26,15 +26,36 @@
 };
 
 grant codeBase "file:${java.home}/lib/ext/sunec.jar" {
-        permission java.security.AllPermission;
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "loadLibrary.sunec";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.SunEC";
+        permission java.security.SecurityPermission "clearProviderProperties.SunEC";
+        permission java.security.SecurityPermission "removeProviderProperty.SunEC";
 };
 
 grant codeBase "file:${java.home}/lib/ext/sunjce_provider.jar" {
-        permission java.security.AllPermission;
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.SunJCE";
+        permission java.security.SecurityPermission "clearProviderProperties.SunJCE";
+        permission java.security.SecurityPermission "removeProviderProperty.SunJCE";
 };
 
 grant codeBase "file:${java.home}/lib/ext/sunpkcs11.jar" {
-        permission java.security.AllPermission;
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
+        permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
+        // needs "security.pkcs11.allowSingleThreadedModules"
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.*";
+        permission java.security.SecurityPermission "clearProviderProperties.*";
+        permission java.security.SecurityPermission "removeProviderProperty.*";
+        permission java.security.SecurityPermission "getProperty.auth.login.defaultCallbackHandler";
+        permission java.security.SecurityPermission "authProvider.*";
+        // Needed for reading PKCS11 config file and NSS library check
+        permission java.io.FilePermission "<<ALL FILES>>", "read";
 };
 
 // default permissions granted to all domains
--- a/jdk/src/windows/lib/security/java.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/src/windows/lib/security/java.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,3 +1,8 @@
 grant codeBase "file:${java.home}/lib/ext/sunmscapi.jar" {
-        permission java.security.AllPermission;
-};
+        Permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "loadLibrary.sunmscapi";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.SunMSCAPI";
+        permission java.security.SecurityPermission "clearProviderProperties.SunMSCAPI";
+        permission java.security.SecurityPermission "removeProviderProperty.SunMSCAPI";
+}
--- a/jdk/test/java/io/Serializable/subclassGC/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/io/Serializable/subclassGC/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,6 +1,3 @@
-grant codeBase "file:${{java.ext.dirs}}/*" {
-	permission java.security.AllPermission;
-};
 
 grant {
 	permission java.lang.RuntimePermission "createClassLoader";
--- a/jdk/test/java/lang/System/System.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/lang/System/System.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,10 +1,5 @@
 //
 // Used by SecurityRace.java 
-// Standard extensions get all permissions by default
-
-grant codeBase "file:${{java.ext.dirs}}/*" {
-	permission java.security.AllPermission;
-};
 
 // default permissions granted to all domains
 
--- a/jdk/test/java/net/URLPermission/policy.1	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/net/URLPermission/policy.1	Thu Jul 10 22:44:58 2014 +0000
@@ -37,9 +37,56 @@
 };
 
 // Normal permissions that aren't granted when run under jtreg
+grant codeBase "file:${java.home}/lib/ext/ucrypto.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
+        permission java.lang.RuntimePermission "loadLibrary.j2ucrypto";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.OracleUcrypto";
+        permission java.security.SecurityPermission "clearProviderProperties.OracleUcrypto";
+        permission java.security.SecurityPermission "removeProviderProperty.OracleUcrypto";
+        permission java.io.FilePermission "${java.home}/lib/security/ucrypto-solaris.cfg", "read";
+};
 
-grant codeBase "file:${{java.ext.dirs}}/*" {
-        permission java.security.AllPermission;
+grant codeBase "file:${java.home}/lib/ext/sunec.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "loadLibrary.sunec";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.SunEC";
+        permission java.security.SecurityPermission "clearProviderProperties.SunEC";
+        permission java.security.SecurityPermission "removeProviderProperty.SunEC";
+};
+
+grant codeBase "file:${java.home}/lib/ext/sunjce_provider.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.SunJCE";
+        permission java.security.SecurityPermission "clearProviderProperties.SunJCE";
+        permission java.security.SecurityPermission "removeProviderProperty.SunJCE";
+};
+
+grant codeBase "file:${java.home}/lib/ext/sunpkcs11.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
+        permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.*";
+        permission java.security.SecurityPermission "clearProviderProperties.*";
+        permission java.security.SecurityPermission "removeProviderProperty.*";
+        permission java.security.SecurityPermission "getProperty.auth.login.defaultCallbackHandler";
+        permission java.security.SecurityPermission "authProvider.*";
+        // Needed for reading PKCS11 config file and NSS library check
+        permission java.io.FilePermission "<<ALL FILES>>", "read";
+};
+
+grant codeBase "file:${java.home}/lib/ext/sunmscapi.jar" {
+        Permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "loadLibrary.sunmscapi";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.SunMSCAPI";
+        permission java.security.SecurityPermission "clearProviderProperties.SunMSCAPI";
+        permission java.security.SecurityPermission "removeProviderProperty.SunMSCAPI";
 };
 
 grant codeBase "file:${{java.home}}/jre/lib/rt.jar" {
--- a/jdk/test/java/net/URLPermission/policy.2	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/net/URLPermission/policy.2	Thu Jul 10 22:44:58 2014 +0000
@@ -36,8 +36,57 @@
     permission "java.lang.RuntimePermission" "setFactory";
 };
 
-grant codeBase "file:${{java.ext.dirs}}/*" {
-        permission java.security.AllPermission;
+// Normal permissions that aren't granted when run under jtreg
+grant codeBase "file:${java.home}/lib/ext/ucrypto.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
+        permission java.lang.RuntimePermission "loadLibrary.j2ucrypto";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.OracleUcrypto";
+        permission java.security.SecurityPermission "clearProviderProperties.OracleUcrypto";
+        permission java.security.SecurityPermission "removeProviderProperty.OracleUcrypto";
+        permission java.io.FilePermission "${java.home}/lib/security/ucrypto-solaris.cfg", "read";
+};
+
+grant codeBase "file:${java.home}/lib/ext/sunec.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "loadLibrary.sunec";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.SunEC";
+        permission java.security.SecurityPermission "clearProviderProperties.SunEC";
+        permission java.security.SecurityPermission "removeProviderProperty.SunEC";
+};
+
+grant codeBase "file:${java.home}/lib/ext/sunjce_provider.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.SunJCE";
+        permission java.security.SecurityPermission "clearProviderProperties.SunJCE";
+        permission java.security.SecurityPermission "removeProviderProperty.SunJCE";
+};
+
+grant codeBase "file:${java.home}/lib/ext/sunpkcs11.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
+        permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.*";
+        permission java.security.SecurityPermission "clearProviderProperties.*";
+        permission java.security.SecurityPermission "removeProviderProperty.*";
+        permission java.security.SecurityPermission "getProperty.auth.login.defaultCallbackHandler";
+        permission java.security.SecurityPermission "authProvider.*";
+        // Needed for reading PKCS11 config file and NSS library check
+        permission java.io.FilePermission "<<ALL FILES>>", "read";
+};
+
+grant codeBase "file:${java.home}/lib/ext/sunmscapi.jar" {
+        Permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "loadLibrary.sunmscapi";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.SunMSCAPI";
+        permission java.security.SecurityPermission "clearProviderProperties.SunMSCAPI";
+        permission java.security.SecurityPermission "removeProviderProperty.SunMSCAPI";
 };
 
 grant codeBase "file:///export/repos/jdk8/build/linux-x86_64-normal-server-fastdebug/images/j2sdk-image/jre/lib/rt.jar" {
--- a/jdk/test/java/net/URLPermission/policy.3	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/net/URLPermission/policy.3	Thu Jul 10 22:44:58 2014 +0000
@@ -37,9 +37,56 @@
 };
 
 // Normal permissions that aren't granted when run under jtreg
+grant codeBase "file:${java.home}/lib/ext/ucrypto.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
+        permission java.lang.RuntimePermission "loadLibrary.j2ucrypto";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.OracleUcrypto";
+        permission java.security.SecurityPermission "clearProviderProperties.OracleUcrypto";
+        permission java.security.SecurityPermission "removeProviderProperty.OracleUcrypto";
+        permission java.io.FilePermission "${java.home}/lib/security/ucrypto-solaris.cfg", "read";
+};
 
-grant codeBase "file:${{java.ext.dirs}}/*" {
-        permission java.security.AllPermission;
+grant codeBase "file:${java.home}/lib/ext/sunec.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "loadLibrary.sunec";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.SunEC";
+        permission java.security.SecurityPermission "clearProviderProperties.SunEC";
+        permission java.security.SecurityPermission "removeProviderProperty.SunEC";
+};
+
+grant codeBase "file:${java.home}/lib/ext/sunjce_provider.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.SunJCE";
+        permission java.security.SecurityPermission "clearProviderProperties.SunJCE";
+        permission java.security.SecurityPermission "removeProviderProperty.SunJCE";
+};
+
+grant codeBase "file:${java.home}/lib/ext/sunpkcs11.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
+        permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.*";
+        permission java.security.SecurityPermission "clearProviderProperties.*";
+        permission java.security.SecurityPermission "removeProviderProperty.*";
+        permission java.security.SecurityPermission "getProperty.auth.login.defaultCallbackHandler";
+        permission java.security.SecurityPermission "authProvider.*";
+        // Needed for reading PKCS11 config file and NSS library check
+        permission java.io.FilePermission "<<ALL FILES>>", "read";
+};
+
+grant codeBase "file:${java.home}/lib/ext/sunmscapi.jar" {
+        Permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "loadLibrary.sunmscapi";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.SunMSCAPI";
+        permission java.security.SecurityPermission "clearProviderProperties.SunMSCAPI";
+        permission java.security.SecurityPermission "removeProviderProperty.SunMSCAPI";
 };
 
 grant codeBase "file:${{java.home}}/jre/lib/rt.jar" {
--- a/jdk/test/java/nio/charset/spi/default-pol	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/nio/charset/spi/default-pol	Thu Jul 10 22:44:58 2014 +0000
@@ -1,9 +1,3 @@
-
-// Standard extensions get all permissions by default
-
-grant codeBase "file:${java.home}/lib/ext/*" {
-	permission java.security.AllPermission;
-};
 
 // default permissions granted to all domains
 
--- a/jdk/test/java/rmi/activation/Activatable/checkActivateRef/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/Activatable/checkActivateRef/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // test explicitly acccesses sun.rmi.server.ActivatableRef
   permission java.lang.RuntimePermission "accessClassInPackage.sun.rmi.server";
--- a/jdk/test/java/rmi/activation/Activatable/checkAnnotations/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/Activatable/checkAnnotations/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // standard test activation permissions
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/activation/Activatable/checkImplClassLoader/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/Activatable/checkImplClassLoader/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // need to move some classes out of the tests classpath; specific to this test
   permission java.io.FilePermission "${test.classes}", "read,write,delete";
--- a/jdk/test/java/rmi/activation/Activatable/checkRegisterInLog/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/Activatable/checkRegisterInLog/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // standard test activation permissions
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/activation/Activatable/createPrivateActivable/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/Activatable/createPrivateActivable/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // standard test activation permissions
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/activation/Activatable/downloadParameterClass/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/Activatable/downloadParameterClass/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // need to move some classes out of the tests classpath; specific to this test
   permission java.io.FilePermission "${test.classes}", "read,write,delete";
--- a/jdk/test/java/rmi/activation/Activatable/elucidateNoSuchMethod/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/Activatable/elucidateNoSuchMethod/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // Needed because of bug#: 4182104
   permission java.lang.RuntimePermission "modifyThreadGroup";
--- a/jdk/test/java/rmi/activation/Activatable/extLoadedImpl/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/Activatable/extLoadedImpl/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,6 +1,3 @@
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
 
 grant {
   // standard activation permissions
--- a/jdk/test/java/rmi/activation/Activatable/forceLogSnapshot/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/Activatable/forceLogSnapshot/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // standard test activation permissions
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/activation/Activatable/inactiveGroup/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/Activatable/inactiveGroup/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // standard test activation permissions
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/activation/Activatable/nestedActivate/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/Activatable/nestedActivate/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // standard test activation permissions
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/activation/Activatable/nonExistentActivatable/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/Activatable/nonExistentActivatable/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // standard test activation permissions
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/activation/Activatable/restartCrashedService/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/Activatable/restartCrashedService/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // standard test activation permissions
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/activation/Activatable/restartLatecomer/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/Activatable/restartLatecomer/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // standard test activation permissions
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/activation/Activatable/restartService/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/Activatable/restartService/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // standard test activation permissions
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/activation/Activatable/shutdownGracefully/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/Activatable/shutdownGracefully/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // standard activation permissions
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/activation/Activatable/unregisterInactive/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/Activatable/unregisterInactive/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // standard test activation permissions
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/activation/ActivationSystem/activeGroup/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/ActivationSystem/activeGroup/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,6 +1,3 @@
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
 
 grant {
   // standard test activation permissions
--- a/jdk/test/java/rmi/activation/ActivationSystem/modifyDescriptor/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/ActivationSystem/modifyDescriptor/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // standard test activation permissions
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/activation/ActivationSystem/unregisterGroup/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/ActivationSystem/unregisterGroup/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // standard test activation permissions
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/activation/CommandEnvironment/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/activation/CommandEnvironment/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // standard test activation permissions
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/dgc/VMID/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/dgc/VMID/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,11 +1,6 @@
 /*
  * security policy used by MarshalForeignStub test
  */
-
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
 
     // used by TestLibrary to determine test environment
--- a/jdk/test/java/rmi/dgc/dgcImplInsulation/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/dgc/dgcImplInsulation/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,11 +1,6 @@
 /*
  * security policy used by the test process
  */
-
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // so that synchronous DGC dirty call will succeed
   permission java.net.SocketPermission "*:1024-", "accept,connect,listen";
--- a/jdk/test/java/rmi/registry/classPathCodebase/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/registry/classPathCodebase/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // need to move some classes out of the test's classpath; specific to this test
   permission java.io.FilePermission "${test.classes}", "read,write,delete";
--- a/jdk/test/java/rmi/server/RMIClassLoader/delegateToContextLoader/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/server/RMIClassLoader/delegateToContextLoader/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // test must create a context loader for the current thread.
   permission java.lang.RuntimePermission "createClassLoader";
--- a/jdk/test/java/rmi/server/RMIClassLoader/downloadArrayClass/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/server/RMIClassLoader/downloadArrayClass/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
     permission java.util.PropertyPermission
         "java.rmi.server.codebase", "read,write";
--- a/jdk/test/java/rmi/server/RMIClassLoader/getClassLoader/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/server/RMIClassLoader/getClassLoader/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
     // permissions needed to move classes into separate codebase directories
     permission java.io.FilePermission
--- a/jdk/test/java/rmi/server/RMIClassLoader/loadProxyClasses/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/server/RMIClassLoader/loadProxyClasses/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
 
     // permissions needed to move classes into separate codebase directories
--- a/jdk/test/java/rmi/server/RMIClassLoader/spi/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/server/RMIClassLoader/spi/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
 
     // permissions needed to move classes into separate codebase directories
--- a/jdk/test/java/rmi/server/RMIClassLoader/useCodebaseOnly/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/server/RMIClassLoader/useCodebaseOnly/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
 
     // specific property access needed by this test
--- a/jdk/test/java/rmi/server/RMIClassLoader/useGetURLs/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/server/RMIClassLoader/useGetURLs/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // the test needs to move classfiles out of its classpath
   permission java.io.FilePermission "${test.classes}", "read,write,delete";
--- a/jdk/test/java/rmi/server/RMISocketFactory/useSocketFactory/activatable/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/server/RMISocketFactory/useSocketFactory/activatable/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // property specifically accessed by this test
   permission java.util.PropertyPermission "user.name", "read";
--- a/jdk/test/java/rmi/server/RMISocketFactory/useSocketFactory/registry/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/server/RMISocketFactory/useSocketFactory/registry/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // used by TestLibrary to determine extra commandline properties
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/server/RMISocketFactory/useSocketFactory/unicast/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/server/RMISocketFactory/useSocketFactory/unicast/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // used by TestLibrary to determine extra commandline properties
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/server/RemoteServer/setLogPermission/java.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/server/RemoteServer/setLogPermission/java.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,7 +1,3 @@
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
     permission java.util.logging.LoggingPermission "control";
 };
--- a/jdk/test/java/rmi/server/clientStackTrace/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/server/clientStackTrace/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // test needs to export rmid and communicate with objects on arbitrary ports
   permission java.net.SocketPermission "*:1024-", "connect,accept,listen";
--- a/jdk/test/java/rmi/server/useCustomRef/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/server/useCustomRef/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // the test uses a class in the package sun.rmi.server
   permission java.lang.RuntimePermission "accessClassInPackage.sun.rmi.registry";
--- a/jdk/test/java/rmi/transport/checkLeaseInfoLeak/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/transport/checkLeaseInfoLeak/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // used by TestLibrary to determine extra commandline properties
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/transport/dgcDeadLock/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/transport/dgcDeadLock/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by the test process
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
   // used by TestLibrary to determine extra commandline properties
   permission java.io.FilePermission "..${/}..${/}test.props", "read";
--- a/jdk/test/java/rmi/transport/httpSocket/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/rmi/transport/httpSocket/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,6 +1,3 @@
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
 
 grant {
     permission java.net.SocketPermission "*:1024-", "accept,connect,listen";
--- a/jdk/test/java/security/KeyRep/Serial.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/security/KeyRep/Serial.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,5 +1,10 @@
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
+grant codeBase "file:${java.home}/lib/ext/sunjce_provider.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.SunJCE";
+        permission java.security.SecurityPermission "clearProviderProperties.SunJCE";
+        permission java.security.SecurityPermission "removeProviderProperty.SunJCE";
 };
 
 grant {
--- a/jdk/test/java/security/KeyRep/SerialOld.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/security/KeyRep/SerialOld.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,5 +1,53 @@
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
+grant codeBase "file:${java.home}/lib/ext/ucrypto.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
+        permission java.lang.RuntimePermission "loadLibrary.j2ucrypto";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.OracleUcrypto";
+        permission java.security.SecurityPermission "clearProviderProperties.OracleUcrypto";
+        permission java.security.SecurityPermission "removeProviderProperty.OracleUcrypto";
+        permission java.io.FilePermission "${java.home}/lib/security/ucrypto-solaris.cfg", "read";
+};
+
+grant codeBase "file:${java.home}/lib/ext/sunec.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "loadLibrary.sunec";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.SunEC";
+        permission java.security.SecurityPermission "clearProviderProperties.SunEC";
+        permission java.security.SecurityPermission "removeProviderProperty.SunEC";
+};
+
+grant codeBase "file:${java.home}/lib/ext/sunjce_provider.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.SunJCE";
+        permission java.security.SecurityPermission "clearProviderProperties.SunJCE";
+        permission java.security.SecurityPermission "removeProviderProperty.SunJCE";
+};
+
+grant codeBase "file:${java.home}/lib/ext/sunpkcs11.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
+        permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.*";
+        permission java.security.SecurityPermission "clearProviderProperties.*";
+        permission java.security.SecurityPermission "removeProviderProperty.*";
+        permission java.security.SecurityPermission "getProperty.auth.login.defaultCallbackHandler";
+        permission java.security.SecurityPermission "authProvider.*";
+        // Needed for reading PKCS11 config file and NSS library check
+        permission java.io.FilePermission "<<ALL FILES>>", "read";
+};
+
+grant codeBase "file:${java.home}/lib/ext/sunmscapi.jar" {
+        Permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "loadLibrary.sunmscapi";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.SunMSCAPI";
+        permission java.security.SecurityPermission "clearProviderProperties.SunMSCAPI";
+        permission java.security.SecurityPermission "removeProviderProperty.SunMSCAPI";
 };
 
 grant {
@@ -8,11 +56,11 @@
     permission java.util.PropertyPermission "test.src", "read";
 
     permission java.lang.RuntimePermission
-	"accessClassInPackage.sun.security.provider";
+        "accessClassInPackage.sun.security.provider";
     permission java.lang.RuntimePermission
-	"accessClassInPackage.sun.security.pkcs";
+        "accessClassInPackage.sun.security.pkcs";
     permission java.lang.RuntimePermission
-	"accessClassInPackage.sun.security.x509";
+        "accessClassInPackage.sun.security.x509";
     permission java.lang.RuntimePermission
-	"accessClassInPackage.sun.security.rsa";
+        "accessClassInPackage.sun.security.rsa";
 };
--- a/jdk/test/java/security/Policy/GetInstance/GetInstance.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/security/Policy/GetInstance/GetInstance.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,6 +1,3 @@
-grant codeBase "file:${{java.ext.dirs}}/*" {
-        permission java.security.AllPermission;
-};
 
 grant {
     permission java.security.SecurityPermission
--- a/jdk/test/java/security/Policy/GetInstance/GetInstance.policyURL	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/security/Policy/GetInstance/GetInstance.policyURL	Thu Jul 10 22:44:58 2014 +0000
@@ -1,7 +1,3 @@
-grant codeBase "file:${{java.ext.dirs}}/*" {
-        permission java.security.AllPermission;
-};
-
 grant {
     permission java.security.SecurityPermission "GetInstanceTest";
 };
--- a/jdk/test/java/security/Policy/GetInstance/GetInstanceSecurity.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/security/Policy/GetInstance/GetInstanceSecurity.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,7 +1,3 @@
-grant codeBase "file:${{java.ext.dirs}}/*" {
-	permission java.security.AllPermission;
-};
-
 grant {
     // do not grant this:
     //
--- a/jdk/test/java/security/Security/AddProvider.policy.1	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/security/Security/AddProvider.policy.1	Thu Jul 10 22:44:58 2014 +0000
@@ -1,7 +1,3 @@
-grant codeBase "file:${{java.ext.dirs}}/*" {
-	permission java.security.AllPermission;
-};
-
 grant {
     permission java.security.SecurityPermission "insertProvider";
 };
--- a/jdk/test/java/security/Security/AddProvider.policy.2	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/security/Security/AddProvider.policy.2	Thu Jul 10 22:44:58 2014 +0000
@@ -1,6 +1,3 @@
-grant codeBase "file:${{java.ext.dirs}}/*" {
-	permission java.security.AllPermission;
-};
 
 grant {
     permission java.security.SecurityPermission "insertProvider.Test1";
--- a/jdk/test/java/security/Security/AddProvider.policy.3	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/security/Security/AddProvider.policy.3	Thu Jul 10 22:44:58 2014 +0000
@@ -1,6 +1,3 @@
-grant codeBase "file:${{java.ext.dirs}}/*" {
-	permission java.security.AllPermission;
-};
 
 grant {
     permission java.security.SecurityPermission "insertProvider.*";
--- a/jdk/test/java/security/Security/removing/RemoveStaticProvider.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/java/security/Security/removing/RemoveStaticProvider.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,10 +1,15 @@
+
+grant codeBase "file:${java.home}/lib/ext/sunjce_provider.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.SunJCE";
+        permission java.security.SecurityPermission "clearProviderProperties.SunJCE";
+        permission java.security.SecurityPermission "removeProviderProperty.SunJCE";
+};
+
 grant {
     permission java.security.SecurityPermission "removeProvider.SunJCE";
     permission java.security.SecurityPermission "insertProvider.SunJCE";
 };
 
-// Standard extensions get all permissions
-grant codeBase "file:${java.home}/lib/ext/*" {
-        permission java.security.AllPermission;
-};
-
--- a/jdk/test/javax/security/auth/login/Configuration/GetInstanceSecurity.grantedPolicy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/javax/security/auth/login/Configuration/GetInstanceSecurity.grantedPolicy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,7 +1,3 @@
-grant codeBase "file:${{java.ext.dirs}}/*" {
-	permission java.security.AllPermission;
-};
-
 grant {
     permission java.util.PropertyPermission "test.src", "read";
     permission java.io.FilePermission "${test.src}${/}*", "read";
--- a/jdk/test/javax/security/auth/login/Configuration/GetInstanceSecurity.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/javax/security/auth/login/Configuration/GetInstanceSecurity.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,6 +1,3 @@
-grant codeBase "file:${{java.ext.dirs}}/*" {
-	permission java.security.AllPermission;
-};
 
 grant {
 
--- a/jdk/test/jdk/nio/zipfs/test.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/jdk/nio/zipfs/test.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -4,10 +4,6 @@
     permission java.util.PropertyPermission "*", "read";
 };
 
-grant codeBase "file:${java.home}/lib/ext/sunpkcs11.jar" {
-    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
-};
-
 grant {
     permission java.io.FilePermission "<<ALL FILES>>","read,write,delete";
     permission java.util.PropertyPermission "test.jdk","read";
--- a/jdk/test/sun/net/www/http/HttpClient/IsKeepingAlive.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/sun/net/www/http/HttpClient/IsKeepingAlive.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -5,13 +5,6 @@
 	permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.http";
 };
 
-// From system java.policy
-// Standard extensions get all permissions by default
-
-grant codeBase "file:${java.home}/lib/ext/*" {
-	permission java.security.AllPermission;
-};
-
 // default permissions granted to all domains
 
 grant { 
--- a/jdk/test/sun/net/www/http/HttpClient/OpenServer.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/sun/net/www/http/HttpClient/OpenServer.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -5,13 +5,6 @@
 	permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.http";
 };
 
-// From system java.policy
-// Standard extensions get all permissions by default
-
-grant codeBase "file:${java.home}/lib/ext/*" {
-	permission java.security.AllPermission;
-};
-
 // default permissions granted to all domains
 
 grant { 
--- a/jdk/test/sun/rmi/server/MarshalOutputStream/marshalForeignStub/security.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/sun/rmi/server/MarshalOutputStream/marshalForeignStub/security.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -2,10 +2,6 @@
  * security policy used by MarshalForeignStub test
  */
 
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
-};
-
 grant {
 
     // used by TestLibrary to determine test environment
--- a/jdk/test/sun/security/pkcs11/KeyStore/Basic.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/sun/security/pkcs11/KeyStore/Basic.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,5 +1,15 @@
-grant codeBase "file:${java.home}/lib/ext/*" {
-    permission java.security.AllPermission;
+grant codeBase "file:${java.home}/lib/ext/sunpkcs11.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
+        permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.*";
+        permission java.security.SecurityPermission "clearProviderProperties.*";
+        permission java.security.SecurityPermission "removeProviderProperty.*";
+        permission java.security.SecurityPermission "getProperty.auth.login.defaultCallbackHandler";
+        permission java.security.SecurityPermission "authProvider.*";
+        // Needed for reading PKCS11 config file and NSS library check
+        permission java.io.FilePermission "<<ALL FILES>>", "read";
 };
 
 grant codebase "file:${user.dir}${/}loader.jar" {
--- a/jdk/test/sun/security/pkcs11/Provider/Login.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/sun/security/pkcs11/Provider/Login.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -1,5 +1,16 @@
-grant codeBase "file:${java.home}/lib/ext/*" {
-        permission java.security.AllPermission;
+grant codeBase "file:${java.home}/lib/ext/sunpkcs11.jar" {
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
+        permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
+        permission java.util.PropertyPermission "*", "read";
+        permission java.security.SecurityPermission "putProviderProperty.*";
+        permission java.security.SecurityPermission "clearProviderProperties.*";
+        permission java.security.SecurityPermission "removeProviderProperty.*";
+        permission java.security.SecurityPermission "getProperty.auth.login.defaultCallbackHandler";
+
+        permission java.security.SecurityPermission "authProvider.*";
+        // Needed for reading PKCS11 config file and NSS library check
+        permission java.io.FilePermission "<<ALL FILES>>", "read";
 };
 
 grant {
--- a/jdk/test/sun/security/provider/PolicyFile/Alias.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/sun/security/provider/PolicyFile/Alias.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -10,9 +10,3 @@
 	principal com.sun.security.auth.UnixPrincipal "unix" {
     permission java.security.SecurityPermission "ALIAS";
 };
-
-// Standard extensions get all permissions
-grant codeBase "file:${java.home}/lib/ext/*" {
-        permission java.security.AllPermission;
-};
-
--- a/jdk/test/sun/security/provider/PolicyFile/AliasExpansion.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/sun/security/provider/PolicyFile/AliasExpansion.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -20,9 +20,3 @@
     permission java.security.SecurityPermission
 	"${{alias}}";
 };
-
-// Standard extensions get all permissions
-grant codeBase "file:${java.home}/lib/ext/*" {
-        permission java.security.AllPermission;
-};
-
--- a/jdk/test/sun/security/provider/PolicyFile/TrustedCert.policy	Thu Jul 10 12:40:48 2014 -0700
+++ b/jdk/test/sun/security/provider/PolicyFile/TrustedCert.policy	Thu Jul 10 22:44:58 2014 +0000
@@ -9,8 +9,3 @@
     permission java.util.PropertyPermission "foo", "read";
 };
 
-// Standard extensions get all permissions
-grant codeBase "file:${java.home}/lib/ext/*" {
-        permission java.security.AllPermission;
-};
-