Re: [jakartaee-platform-dev] [External] : Pending removal of security ma

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jakartaee-platform-dev] [External] : Pending removal of security manager

From: Lukas Jungmann <lukas.jungmann@xxxxxxxxxx>
Date: Mon, 19 Jul 2021 09:06:14 +0200
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TqHFmFA6Y4gZj/IcWjxS+H1nKgjgC5Mhvz9qB521Tc0=; b=Z/WcPRTSGVL6ASTC/zGMwxjcgj6hIj2K3+RFelqsx4H7CF6U49w+d4qWFxmNpg0g0mZIT38c5zk5a8Hng8odDwh5RASBIJeH7UbRQjHiUgJHof4kwJh4rSXU6c6GkbzF+EVLoJTY1pWVMKzwKYqAJ8yh735s5TxX2IIf/OZIR2lpaBlU8o1+CXlBVonypl9i9woutLvOPV5mTTTZy/QTbPYJrSccNh+qBtgU4d3x9NlP0/5xK5QycGZATtJBGwE1WtfOngDP/yoe9yMNcDIzomZoOK4gtsTS1l6RNNzQcJonzIX3yfylvSXcM1W7slWXOzXg5G3/FoD31vFR9tqZCQ==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Aw6xD6LIPAX4r7uCNki6Qq5KQYRF7/+qigqKPDbqwgZWKRpApgeJPXMr3fWoHiW8yDmN/L0KYavi2P2e6YtF749ytAB0fxwGUYz57mRgD5PenQXGjvH26QCXJCHYlydl1UD7/U+/+A5X0pRthPcsNrLsnj55ODViyrgPIencYBD39p6oruEfWK9OV2twWGz4wMMKt8zFphvlc2S8LQpy27Rf7daW9qi+pBwPc2q+48fz1191Ty9nbpAowRGtLcHaYKrn9TpMINcbjNyqPdxe+wt3zemN0jYw1lV0mzzqjrXVflk5GI7oVVk8ePKR/cbidCRUgilWOxPDMijDsC+pkg==
Delivered-to: jakartaee-platform-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jakartaee-platform-dev/>
List-help: <mailto:jakartaee-platform-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev>, <mailto:jakartaee-platform-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jakartaee-platform-dev>, <mailto:jakartaee-platform-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.12.0

Hi,

On 4/15/21 10:37 PM, arjan tijms wrote:

Hi,
This new JEP just came out: https://openjdk.java.net/jeps/411<https://openjdk.java.net/jeps/411>

with SecurityManager being marked for removal in recent JDK 17 build[1],do you have an idea wrt impact on Authentication & Authorization specsand implementations?

I briefly checked other specs and from what I can see, mostSecurityManager usages there are about checks for its availability andexecution through AccessController when SM is available.AccessController as such is marked for removal too.

Other spec which can be affected by this is Connector spec, where onepart of the spec defines EIS integration-specific security details.Therefore I think SM removal has an impact on implementations of thisspec as well. (note that connectors spec available on jakara.ee specpage is incomplete[2])

Some specs also defines their own permission classes. Since these willbecome irrelevant going forward, should we deprecate them within EE 10?


thanks,
--lukas

[1]:https://download.java.net/java/early_access/jdk17/docs/api/java.base/java/lang/SecurityManager.html

[2]: https://github.com/jakartaee/specifications/issues/411

Jakarta EE is specifically mentioned:
"Jakarta EE has several requirements on the Security Manager. These mustbe either relaxed or removed in order for compliant applications to runon future Java releases after the Security Manager is degraded and thenremoved."
Now I've personally been arguing for not using/depending on the securitymanager in server side code for a long time. The idea of runningpotentially untrusted code on your own server always struck me asawkward and something you would not do anyway, even when runningmultiple applications on a single server instance was still somewhat ofa thing.
The TCK and GlassFish use the security manager a lot, so that would haveto be removed depending on the final outcome of JEP 411.
Kind regards,
Arjan

_______________________________________________
jakartaee-platform-dev mailing list
jakartaee-platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://urldefense.com/v3/__https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev__;!!GqivPVa7Brio!Lyp8ufQvUPlUW9ft3ojHD_zOf88CmLxVtY8qRin1cfC7UqUS4lu3YAgVd4JfusxqDzQ$

References:
- [jakartaee-platform-dev] Pending removal of security manager
  - From: arjan tijms

Prev by Date: Re: [jakartaee-platform-dev] API compile source and target levels
Next by Date: [jakartaee-platform-dev] Jakarta EE 10 Release Plan *Draft*
Previous by thread: Re: [jakartaee-platform-dev] [External] : Pending removal ofsecurity manager
Next by thread: [jakartaee-platform-dev] Request for Review - Migrate Jakarta EE Tutorial to Jakarta EE 9
Index(es):
- Date
- Thread

Breadcrumbs