There are several classes in com.sun.security.auth with @jdk.Exported(false) need to be re-examined:
The granularity of exports with the module system is at the level of packages. If a package is exported then all public types in that package are accessible.
We should decide if the above classes are supported or not. If not supported then they should be removed, at least changed to be non-public.