### Problem In a large java project with multiple third party dependencies, there is a case where the default **Authenticator** set by the java project owner is overridden by the third party dependency jars.
### Example While using **Google Big Query JDBC Jar**, If proxy username property is present in the connection url, the **default authenticator is reset** by a code piece in the jar without any checks for existing authenticator. ### Solution Since, Authenticator is set on JVM level, the modification should provide **access control capability to the java project owner**. ### Changes In java.net.Authenticator class, an AccessChecker class is initialized on class loading. By default, **java.net.AuthenticatorModifyAccessChecker** is loaded. The Java project owner can extend this class and implement their own custom implementation for **canModifyAuthenticator()** method. Java project owner should supply the custom class name in _"**authenticator.modify.access.checker.class**"_ system property which will be initialized on class loading time. ### Result This change will give access modification control for the Java Project owner. The project owner can just skip the setDefault() call by return false in canModifyAuthenticator() method or can throw error according to their need. ------------- Commit messages: - 8379776: Authenticator Modification Access Check Changes: https://git.openjdk.org/jdk/pull/30193/files Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=30193&range=00 Issue: https://bugs.openjdk.org/browse/JDK-8379776 Stats: 66 lines in 2 files changed: 66 ins; 0 del; 0 mod Patch: https://git.openjdk.org/jdk/pull/30193.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/30193/head:pull/30193 PR: https://git.openjdk.org/jdk/pull/30193
