Re: [jaspic-dev] Remove usage of permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jaspic-dev] Remove usage of permissions

From: Guillermo González de Agüero <z06.guillermo@xxxxxxxxx>
Date: Mon, 29 Nov 2021 12:00:50 +0100
Delivered-to: jaspic-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jaspic-dev/>
List-help: <mailto:jaspic-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jaspic-dev>, <mailto:jaspic-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jaspic-dev>, <mailto:jaspic-dev-request@eclipse.org?subject=unsubscribe>

Hi,

To be honest, I'd go for option 3, as I don't think many people are relying on this and this change would be a sign that the API is really modernizing (as with the addition of generics you just made). One thing that can be done is to search for uses of those public fields in public Maven artifacts, but custom JASPIC providers are probably closed source and we won't find much information about usage.

My assumption has always been that applications relying on this kind of functionality, were designed a long time ago and are stuck to old versions of the application servers. If that's the case, removing it wouldn't do much harm, but only the vendors here can confirm that.

On Sun, Nov 28, 2021 at 11:46 PM arjan tijms <arjan.tijms@xxxxxxxxx> wrote:

Hi,

One thing we haven't discussed historically because it only came up fairly recently, is the removal of the security manager in Java SE for local code-based security checks.

Jakarta Authentication uses a number of them, e.g.

/**
* The SecurityPermission, with name {@link #GET_FACTORY_PERMISSION_NAME}, that is used to authorize access to the
* getFactory method.
*/
public static final SecurityPermission getFactorySecurityPermission = new SecurityPermission(GET_FACTORY_PERMISSION_NAME);

/**
* The SecurityPermission, with name {@link #SET_FACTORY_PERMISSION_NAME}, that is used to authorize access to the
* setFactory method.
*/
public static final SecurityPermission setFactorySecurityPermission = new SecurityPermission(SET_FACTORY_PERMISSION_NAME);

/**
* An instance of the SecurityPermission (with name {@link #PROVIDER_REGISTRATION_PERMISSION_NAME}) for use in
* authorizing access to the update methods of the factory implementation class.
*/
public static final SecurityPermission providerRegistrationSecurityPermission = new SecurityPermission(PROVIDER_REGISTRATION_PERMISSION_NAME);

These are used on the server to check whether the code has code-level permission to set or even get a factory.

Such checks are then carried out by code such as this:

private static void checkPermission(Permission permission) throws SecurityException {
SecurityManager securityManager = System.getSecurityManager();
if (securityManager != null) {
securityManager.checkPermission(permission);
}
}

What shall we do with this?

Options are:

1. Do nothing, ignore the issues until it really breaks (when the type is actually removed from SE)
2. Add an @deprecated javadoc annotation, explaining it will go away (users don't have to do anything, since it's used internally by the API)
3. Just outright remove it

Thoughts?

Kind regards,
Arjan Tijms

References:
- [jaspic-dev] Remove usage of permissions
  - From: arjan tijms

Prev by Date: Re: [jaspic-dev] Remove usage of permissions
Next by Date: Re: [jaspic-dev] Remove usage of permissions
Previous by thread: Re: [jaspic-dev] Remove usage of permissions
Next by thread: [jaspic-dev] registerServerAuthModule
Index(es):
- Date
- Thread

Breadcrumbs