The java.security.Policy class is deprecated for removal in JDK 17 (as part of the security manager removal JEP).
Policy plays a central role in Jakarta Authorization, although in my opinion it has always been a questionable choice to reuse this specific class in Jakarta EE. Policy normally handles code-based security permissions, while Jakarta Authorization only deals with subject-based ones.
With Policy to be removed, we need to create a replacement for it, and at the least deprecate its current usage.
This will obviously have a very big impact on Jakarta Authorization, though I think doing it in a way that's conceptually compatible with how things are done today should be quite doable.
We essentially need:
1. A replacement class for Policy
2. A replacement mechanism to set/get the current Policy