Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jakartaee-platform-dev] [rest-dev] [External] : Fwd: [ec] JSR 399 (Java SE 24): JEP Proposed to Target: 486: Permanently Disable the Security Manager

Hi,

On Fri, 8 Nov 2024 at 20:54, James Perkins via jakartaee-platform-dev <jakartaee-platform-dev@xxxxxxxxxxx> wrote:
IMO it's best to wait until Jakarta REST 5.0. The API's themselves will still be there and the JEP doesn't specify in which release they will remove the API's. There are some sectors where it's still required to use the security manager.

It's a bit more subtle than that I'm afraid. Those sectors who think they require the security manager can't actually use their security manager with Jakarta EE 11 anyway (at least, not predictably), since most everything else in Jakarta EE 11 has removed it. Specifically all the Jakarta EE 11 tests have removed it.

So those sectors who think they need to use the security manager should stick to Jakarta EE 10 anyway. 

REST 4.0 is not in Jakarta EE 10, so updating it to fix the bug (the lingering security managers references), will not affect those sectors who think they still need to use the security manager.

There's also other specs, for example CDI, Jakarta Batch, etc., that have not ripped it out yet.

Are you sure? That would have been a blatant oversight of us :( 

The platform just removes the requirement to run with the security manager enabled. That doesn't mean an implementation cannot run with the security manager enabled.

I'm afraid it's again a bit more subtle. We primarily intended that the APIs would not be polluted with security manager dependencies anymore, so that the APIs can be freely used with JDKs versions that have removed it (and/or fatally complain about it by default). If REST still has a lingering reference in its APIs, it's a bug.

Of course any implementation of the APIs is free to do whatever it wants, this just concerns the API artefacts themselves.

Kind regards,
Arjan Tijms


 


James R. Perkins

Principal Software Engineer

Red Hat



On Fri, Nov 8, 2024 at 8:53 AM Gurunandan Rao <gurunandan.rao@xxxxxxxxxx> wrote:

As per JEP 486 System::getSecurityManager and AccessController::doPrivileged methods will run on JDK 24 without change, Since these API's are retained for compatibility without functionality as dummy. However, JEP 486 strongly recommends  libraries  not use these methods, which will be removed in a future JDK release. Hence Rest API https://github.com/jakartaee/rest/blob/49b07656ebdb60b3386d0b542f1c2151961ec8a0/jaxrs-api/src/main/java/jakarta/ws/rs/ext/RuntimeDelegate.java#L131will fail for future releases of JDK, whenever the API's are removed.

Application servers will not be able to certify Jakarta EE 11 on a future JDK, where System::getSecurityManager and AccessController::doPrivileged methods are removed.


regards,
Guru



From: James Perkins <jperkins@xxxxxxxxxx>
Sent: 08 November 2024 20:46
To: Jakarta Rest project developer discussions <rest-dev@xxxxxxxxxxx>
Cc: jakartaee-platform-dev@xxxxxxxxxxx <jakartaee-platform-dev@xxxxxxxxxxx>; Gurunandan Rao <gurunandan.rao@xxxxxxxxxx>
Subject: Re: [rest-dev] [External] : [jakartaee-platform-dev] Fwd: [ec] JSR 399 (Java SE 24): JEP Proposed to Target: 486: Permanently Disable the Security Manager
 
May I ask why? The security manager still exists, it's just deprecated. I think it's fine to remove it for 5.0, but I see no reason to do a service release to remove it.


James R. Perkins

Principal Software Engineer

Red Hat



On Fri, Nov 8, 2024 at 12:54 AM Gurunandan Rao via rest-dev <rest-dev@xxxxxxxxxxx> wrote:
Hi Ivar,

Jakarta Rest API 4.0.0 has dependency on Security Manager as per issue - https://github.com/jakartaee/rest/issues/1262

IMO, Service release of Rest API 4.0.0 will be required to address the issue.

regards,
Guru


From: jakartaee-platform-dev <jakartaee-platform-dev-bounces@xxxxxxxxxxx> on behalf of Ivar Grimstad via jakartaee-platform-dev <jakartaee-platform-dev@xxxxxxxxxxx>
Sent: 02 November 2024 12:40
To: jakartaee-platform-dev@xxxxxxxxxxx <jakartaee-platform-dev@xxxxxxxxxxx>
Cc: Ivar Grimstad <ivar.grimstad@xxxxxxxxxxxxxxxxxxxxxx>
Subject: [External] : [jakartaee-platform-dev] Fwd: [ec] JSR 399 (Java SE 24): JEP Proposed to Target: 486: Permanently Disable the Security Manager
 
It looks like we made the right choice by removing all references to the Security Manager in Jakarta EE 11.

Ivar

---------- Forwarded message ---------
From: Iris Clark <iris.clark@xxxxxxxxxx>
Date: Sat, Nov 2, 2024 at 12:16 AM
Subject: [ec] JSR 399 (Java SE 24): JEP Proposed to Target: 486: Permanently Disable the Security Manager
To: java-se-spec-experts@xxxxxxxxxxx <java-se-spec-experts@xxxxxxxxxxx>


The following JEP with scope "SE" has been proposed to target JDK 24:

  486: Permanently Disable the Security Manager
       https://openjdk.org/jeps/486

  Summary: The Security Manager has not been the primary means of
  securing client-side Java code for many years, it has rarely been used
  to secure server-side code, and it is costly to maintain.  We therefore
  deprecated it for removal in Java 17 via JEP 411 (2021).  As the next
  step toward removing the Security Manager, we will revise the Java
  Platform specification so that developers cannot enable it and other
  Platform classes do not refer to it.  This change will have no impact
  on the vast majority of applications, libraries, and tools.  We will
  remove the Security Manager API in a future release.

The announced deadline for feedback to jdk-dev is Fri 8 Nov 20:00 UTC:

    https://mail.openjdk.org/pipermail/jdk-dev/2024-November/009601.html

If there are no unresolved objections at that time, then the JEP will be moved
to the Targeted state, indicating that the feature is expected to appear in
the specified release of the JDK Project.  For more information about states,
see the JEP Process document:

    https://openjdk.org/jeps/1

A dashboard that lists JEPs with "SE" scope may be found via a link on this
page:

    https://openjdk.org/projects/jdk/24/spec/

Thanks,
Iris


--

Ivar Grimstad

Jakarta EE Developer Advocate | Eclipse Foundation Eclipse Foundation - Community. Code. Collaboration. 

_______________________________________________
rest-dev mailing list
rest-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org
_______________________________________________
jakartaee-platform-dev mailing list
jakartaee-platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev

Back to the top