| Re: [jakartaee-platform-dev] [rest-dev] [External] : Fwd: [ec] JSR 399 (Java SE 24): JEP Proposed to Target: 486: Permanently Disable the Security Manager |
IMO it's best to wait until Jakarta REST 5.0. The API's themselves will still be there and the JEP doesn't specify in which release they will remove the API's. There are some sectors where it's still required to use the security manager.
There's also other specs, for example CDI, Jakarta Batch, etc., that have not ripped it out yet.
The platform just removes the requirement to run with the security manager enabled. That doesn't mean an implementation cannot run with the security manager enabled.
_______________________________________________On Fri, Nov 8, 2024 at 8:53 AM Gurunandan Rao <gurunandan.rao@xxxxxxxxxx> wrote:
As per JEP 486 System::getSecurityManager and AccessController::doPrivileged methods will run on JDK 24 without change, Since these API's are retained for compatibility without functionality as dummy. However, JEP 486 strongly recommends libraries not use these methods, which will be removed in a future JDK release. Hence Rest API https://github.com/jakartaee/rest/blob/49b07656ebdb60b3386d0b542f1c2151961ec8a0/jaxrs-api/src/main/java/jakarta/ws/rs/ext/RuntimeDelegate.java#L131will fail for future releases of JDK, whenever the API's are removed.
Application servers will not be able to certify Jakarta EE 11 on a future JDK, where System::getSecurityManager and AccessController::doPrivileged methods are removed.
Platform EE 11 Specification removes requirement of Security Manager( https://jakarta.ee/specifications/platform/11/jakarta-platform-spec-11.0-m4#jakarta-ee-security-manager-related-requirements), however Rest API throws SecurityException [ https://github.com/jakartaee/rest/blob/49b07656ebdb60b3386d0b542f1c2151961ec8a0/jaxrs-api/src/main/java/jakarta/ws/rs/ext/RuntimeDelegate.java#L131]
regards,Guru
From: James Perkins <jperkins@xxxxxxxxxx>
Sent: 08 November 2024 20:46
To: Jakarta Rest project developer discussions <rest-dev@xxxxxxxxxxx>
Cc: jakartaee-platform-dev@xxxxxxxxxxx <jakartaee-platform-dev@xxxxxxxxxxx>; Gurunandan Rao <gurunandan.rao@xxxxxxxxxx>
Subject: Re: [rest-dev] [External] : [jakartaee-platform-dev] Fwd: [ec] JSR 399 (Java SE 24): JEP Proposed to Target: 486: Permanently Disable the Security ManagerMay I ask why? The security manager still exists, it's just deprecated. I think it's fine to remove it for 5.0, but I see no reason to do a service release to remove it.
On Fri, Nov 8, 2024 at 12:54 AM Gurunandan Rao via rest-dev <rest-dev@xxxxxxxxxxx> wrote:
_______________________________________________Hi Ivar,
Jakarta Rest API 4.0.0 has dependency on Security Manager as per issue - https://github.com/jakartaee/rest/issues/1262
IMO, Service release of Rest API 4.0.0 will be required to address the issue.
regards,Guru
From: jakartaee-platform-dev <jakartaee-platform-dev-bounces@xxxxxxxxxxx> on behalf of Ivar Grimstad via jakartaee-platform-dev <jakartaee-platform-dev@xxxxxxxxxxx>
Sent: 02 November 2024 12:40
To: jakartaee-platform-dev@xxxxxxxxxxx <jakartaee-platform-dev@xxxxxxxxxxx>
Cc: Ivar Grimstad <ivar.grimstad@xxxxxxxxxxxxxxxxxxxxxx>
Subject: [External] : [jakartaee-platform-dev] Fwd: [ec] JSR 399 (Java SE 24): JEP Proposed to Target: 486: Permanently Disable the Security ManagerIt looks like we made the right choice by removing all references to the Security Manager in Jakarta EE 11.
Ivar
---------- Forwarded message ---------
From: Iris Clark <iris.clark@xxxxxxxxxx>
Date: Sat, Nov 2, 2024 at 12:16 AM
Subject: [ec] JSR 399 (Java SE 24): JEP Proposed to Target: 486: Permanently Disable the Security Manager
To: java-se-spec-experts@xxxxxxxxxxx <java-se-spec-experts@xxxxxxxxxxx>
The following JEP with scope "SE" has been proposed to target JDK 24:
486: Permanently Disable the Security Manager
https://openjdk.org/jeps/486
Summary: The Security Manager has not been the primary means of
securing client-side Java code for many years, it has rarely been used
to secure server-side code, and it is costly to maintain. We therefore
deprecated it for removal in Java 17 via JEP 411 (2021). As the next
step toward removing the Security Manager, we will revise the Java
Platform specification so that developers cannot enable it and other
Platform classes do not refer to it. This change will have no impact
on the vast majority of applications, libraries, and tools. We will
remove the Security Manager API in a future release.
The announced deadline for feedback to jdk-dev is Fri 8 Nov 20:00 UTC:
https://mail.openjdk.org/pipermail/jdk-dev/2024-November/009601.html
If there are no unresolved objections at that time, then the JEP will be moved
to the Targeted state, indicating that the feature is expected to appear in
the specified release of the JDK Project. For more information about states,
see the JEP Process document:
https://openjdk.org/jeps/1
A dashboard that lists JEPs with "SE" scope may be found via a link on this
page:
https://openjdk.org/projects/jdk/24/spec/
Thanks,
Iris
--
Ivar Grimstad
Jakarta EE Developer Advocate | Eclipse Foundation Eclipse Foundation - Community. Code. Collaboration.
rest-dev mailing list
rest-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org
jakartaee-platform-dev mailing list
jakartaee-platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev