Skip to content

Commit

Permalink
Merge pull request #483 from starksm64/master
Browse files Browse the repository at this point in the history
Statement for #460, #406 SecurityManager direction
  • Loading branch information
starksm64 authored May 3, 2022
2 parents 44d5f75 + b9c6330 commit 0c37e04
Showing 1 changed file with 6 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,9 @@ for certain types of service providers called resource adapters, and the
Jakarta Authorization specification defines requirements for
security service providers. Future versions of this specification will
more fully define the Jakarta EE SPI.

=== SecurityManager Deprecation

With the https://openjdk.java.net/jeps/411[JEP 411: Deprecate the Security Manager for Removal] initiative that has deprecated several SecurityManager related methods in Java SE 17, and further limited functionality in Java SE 18, it is clear that Jakarta EE needs to remove requirements related to the SecurityManager. Discussions with OpenJDK developers have made it clear that there will be no replacement, and conversations along the lines of maintaining similar integration points at the JDK level have confirmed that the OpenJDK team does not want to support such integration points. This leaves Jakarta EE with the option of either introducing its own specification and requirements around similar functionality, or simply removing any requirements related to the SecurityManager. Given that replacing the SecurityManager permission checks in the JDK would require bytecode enhancement of implementations, it seems unlikely that this would be an achievable effort given the low level nature of the integration, and the general lack of effectiveness of the SecurityManager model as highlighted in the JEP 411 issue.

The decided course of action is to announce that the SecurityManager is being deprecated in Jakarta EE10 for removal in a subsequent release, and that EE10 would be the last release with any requirements relating to the SecurityManager. Further, the rapid pace of Java SE releases brings the possibility that implementers may want to certify on EE10 and earlier releases with a Java SE version that has eliminated the SecurityManager. Existing TCK SecurityManager requirements in EE10 and earlier EE release may have to be relaxed as challenges are filed. The platform team needs to be receptive to relaxing these requirements if the need arises.

0 comments on commit 0c37e04

Please sign in to comment.