Thanks Tomaz, I'm including the original jdeps report and Jason's original reply. I have dropped the xml related issues since that is simply bundled code.

• for our JAXP providers so that we get consistent behavior on all JVM vendors and versions. The first two introduce the APIs that the report is complaining about. This is misreported as a JDK internal dep, because the JDK implementation of JAXP happens to be a fork of them, and so introduces those APIs as well.
• org.relax.* - This is a similar issue. We bundle the sun JAXB impl of a fixed version in order to provide consistent results on all JVMs, the classes it is complaining about are actually introduced by a sub JAXB dep (rngom).
• com.sun.misc.Unsafe - This class is critical to implementing high-performance concurrent data structures and algorithms (hence it’s usage by java.util.concurrent). Our general pattern is to attempt to use it if possible, and fallback to slower, less resilient, yet portable mechanisms. In practice all JVMs now include this class, since all providers prefer to reuse the java.util.concurrent code. If the day comes that java.util.concurrent no longer requires this (or an equivalent class), our primary need for it would be eliminated.
• sun.reflect.ReflectionFactory - Serialization/Marshalling frameworks need to be able to instantiate classes which do not have public constructors (just like Java Serialization requires). Without this hook, or alternatively usage of unsafe, this is not possible.
• sun.misc.Cleaner - This is useful in cases where you want to free the memory associated with a direct buffer immediately, preventing degenerate cases of massive native memory consumption, or failures caused by inaccurate limit checking. The main issue is that the garbage collector does not have proper insight into native memory space. and thus may defer freeing what it thinks is a single small reference which in reality is a large block of memory. PhantomReference isn’t a workable alternative. That said, in general we prefer to avoid non-static usage of direct buffers.
• com.sun.org.apache.xerces.* - This looks like one of our third party deps, XOM, includes some code for Java 5 to workaround bugs and enable secure processing. This code will never actually be ran on WildFly since we require Java 7.
• sun.misc.Signal/SignalHandler - This dependency has been removed in later versions and uses an alternative strategy.
• sun.tools.jconsole.Utilities - We have a jconsole gui plugin that is using this. Aren’t all of these jconsole APIs considered unofficial?
• GSS SPI/API usage - I’d have to research this further as to why jacorb needs these. However, we are looking into switching to a downstream fork of the oracle orb used in the JDK, so this one is likely to vanish as well.

JDeps Report for wildfly-8.1.0.Final

        We are using JDK 8's new          jdeps        analysis tool to identify usage of JDK-internal APIs. It has been advised not to rely on any JDK-internal API        (e.g. sun.* packages)        since 1996. The jdeps        tool along with a        wiki page        were created to help you migrate to use the JDK supported APIs.  

        Your team should plan to eliminate any dependency to JDK-internal APIs.  Migrating to        use the JDK supported APIs now will give your team adequate time for regression        testing before the release of JDK 9.        For JDK-internal APIs that your application has to depend on and there is no        supported API providing equivalent functionality, we would appreciate an        explanation about why and how these particular APIs, if any, are used in your        application. jdeps is a static analysis tool and therefore  use of JDK-internal        APIs via reflection or dynamically generated bytecode are not shown in this report        while such dependency should also be replaced.  

        Development teams can use        jdeps        directly to identify any use of JDK-internal APIs and update your code or components        appropriately.          Alternately if many development groups need something changed in the        spec, we encourage participation in either        OpenJDK or the        Java Community Process.  

        We have analyzed jar files within wildfly-8.1.0.Final and found 26        jar files depend on JDK-Internal-API. Our        observations are  

  
• APIs that have known replacements: 7  
• APIs that your team should plan to migrate away and provide us            with explanations if necessary: 87  

APIs that have                        known replacements:

APIs that your team should plan to migrate away and provide us            with explanations if necessary:

Identify External Replacements

In addition to the above, your application might be using JDK-internal APIs that do not have            direct Oracle-provided replacements. These APIs are subject to            significant change or removal in JDK 9. Proper fixing may involve            identifying a separate third-party library that performs this            functionality.

William, it looks the usage is only when running in a VM prior to Java 8. Is that correct?

This email to the openjdk dev list introduces JEP 260: Encapsulate Most Internal APIs, which is about:

Description

Based upon analyses of various large collections of code, including Maven Central, and also feedback received since the release of JDK 8 and its dependency analysis tool (jdeps), we can divide the JDK's internal APIs into two broad categories:

• Those which do not appear to be used by code outside of the JDK, or are used by outside code merely for convenience, i.e., for functionality that is available in supported APIs or can easily be provided by libraries (e.g.,sun.misc.BASE64Decoder); and
• Those which provide critical functionality that would be difficult, if not impossible, to implement outside of the JDK itself (e.g., sun.misc.Unsafe).

In JDK 9 we propose to:

• Encapsulate all non-critical internal APIs by default: The modules that define them will not export their packages for outside use. (Access to such APIs will be available, as a last resort, via a command-line flag at both compile time and run time, unless those APIs are revised or removed for other reasons.)
• Encapsulate critical internal APIs for which supported replacements exist in JDK 8, in the same manner and with the same last-resort workaround. (A supported replacement is one that is either part of the Java SE 8 standard (i.e., in a java.* or javax.* package) or else JDK-specific and annotated with @jdk.Exported (typically in a com.sun.* or jdk.* package).)
• Not encapsulate critical internal APIs for which supported replacements do not exist in JDK 8 and, further, deprecate those which have supported replacements in JDK 9 with the intent to encapsulate them, or possibly even remove them, in JDK 10.

The critical internal APIs proposed to remain accessible in JDK 9 are:

• sun.misc.Cleaner
• sun.misc.{Signal,SignalHandler}
• sun.misc.Unsafe (The functionality of many of the methods in this class is now available via variable handles (JEP 193).)
• sun.reflect.Reflection::getCallerClass (The functionality of this method may be provided in a standard form via JEP 259.)
• sun.reflect.ReflectionFactory

----- Forwarded Message -----

From: "mark reinhold" <mark.reinhold@oracle.com>

To: jigsaw-dev@openjdk.java.net

Sent: Tuesday, August 4, 2015 7:48:39 AM

Subject: Encapsulating internal APIs in JDK 9 (sun.misc.Unsafe, etc.)

As part of the overall modularization effort [1] we're going to

encapsulate most of the JDK's internal APIs within the modules that

define and use them so that, by default, they are not accessible to

code outside the JDK.

This change will improve the integrity of the platform, since many of

these internal APIs define privileged, security-sensitive operations.

In the long run it will also reduce the costs borne by the maintainers

of the JDK itself and by the maintainers of libraries and applications

that, knowingly or not, make use of these non-standard, unstable, and

unsupported internal APIs.

It's well-known that some popular libraries make use of a few of these

internal APIs, such as sun.misc.Unsafe, to invoke methods that would be

difficult, if not impossible, to implement outside of the JDK.  To ensure

the broad testing and adoption of the release we propose to treat these

critical APIs as follows:

  - If it has a supported replacement in JDK 8 then we will encapsulate

    it in JDK 9;

  - If it does not have a supported replacement in JDK 8 then we will not

    encapsulate it in JDK 9, so that it remains accessible to outside

    code; and, further,

  - If it has a supported replacement in JDK 9 then we will deprecate it

    in JDK 9 and encapsulate it, or possibly even remove it, in JDK 10.

The critical internal APIs proposed to remain accessible in JDK 9 are

listed in JEP 260 [2].  Suggested additions to the list, justified by

real-world use cases and estimates of developer and end-user impact,

are welcome.

- Mark

[1] http://openjdk.java.net/jeps/200

[2] http://openjdk.java.net/jeps/260

Thanks. That JEP and some others are referenced in the JEP 260 that was just introduced to formally address the encapsulation problem.