Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jakartaee-platform-dev] [rest-dev] [External] : Fwd: [ec] JSR 399 (Java SE 24): JEP Proposed to Target: 486: Permanently Disable the Security Manager

+1 to James' suggestion.

Regarding what I said, no API changes, I meant making the code changes to the api jars. From my understanding, except javadoc comments tidyup, any other changes are discouraged. You could update significant code without touching the APIs, which could lead to the previously certified runtime no longer compatible.
Thanks
Emily


On Fri, Nov 8, 2024 at 7:54 PM James Perkins via rest-dev <rest-dev@xxxxxxxxxxx> wrote:
IMO it's best to wait until Jakarta REST 5.0. The API's themselves will still be there and the JEP doesn't specify in which release they will remove the API's. There are some sectors where it's still required to use the security manager.

There's also other specs, for example CDI, Jakarta Batch, etc., that have not ripped it out yet.

The platform just removes the requirement to run with the security manager enabled. That doesn't mean an implementation cannot run with the security manager enabled.


James R. Perkins

Principal Software Engineer

Red Hat



On Fri, Nov 8, 2024 at 8:53 AM Gurunandan Rao <gurunandan.rao@xxxxxxxxxx> wrote:

As per JEP 486 System::getSecurityManager and AccessController::doPrivileged methods will run on JDK 24 without change, Since these API's are retained for compatibility without functionality as dummy. However, JEP 486 strongly recommends  libraries  not use these methods, which will be removed in a future JDK release. Hence Rest API https://github.com/jakartaee/rest/blob/49b07656ebdb60b3386d0b542f1c2151961ec8a0/jaxrs-api/src/main/java/jakarta/ws/rs/ext/RuntimeDelegate.java#L131will fail for future releases of JDK, whenever the API's are removed.

Application servers will not be able to certify Jakarta EE 11 on a future JDK, where System::getSecurityManager and AccessController::doPrivileged methods are removed.


regards,
Guru



From: James Perkins <jperkins@xxxxxxxxxx>
Sent: 08 November 2024 20:46
To: Jakarta Rest project developer discussions <rest-dev@xxxxxxxxxxx>
Cc: jakartaee-platform-dev@xxxxxxxxxxx <jakartaee-platform-dev@xxxxxxxxxxx>; Gurunandan Rao <gurunandan.rao@xxxxxxxxxx>
Subject: Re: [rest-dev] [External] : [jakartaee-platform-dev] Fwd: [ec] JSR 399 (Java SE 24): JEP Proposed to Target: 486: Permanently Disable the Security Manager
 
May I ask why? The security manager still exists, it's just deprecated. I think it's fine to remove it for 5.0, but I see no reason to do a service release to remove it.


James R. Perkins

Principal Software Engineer

Red Hat



On Fri, Nov 8, 2024 at 12:54 AM Gurunandan Rao via rest-dev <rest-dev@xxxxxxxxxxx> wrote:
Hi Ivar,

Jakarta Rest API 4.0.0 has dependency on Security Manager as per issue - https://github.com/jakartaee/rest/issues/1262

IMO, Service release of Rest API 4.0.0 will be required to address the issue.

regards,
Guru


From: jakartaee-platform-dev <jakartaee-platform-dev-bounces@xxxxxxxxxxx> on behalf of Ivar Grimstad via jakartaee-platform-dev <jakartaee-platform-dev@xxxxxxxxxxx>
Sent: 02 November 2024 12:40
To: jakartaee-platform-dev@xxxxxxxxxxx <jakartaee-platform-dev@xxxxxxxxxxx>
Cc: Ivar Grimstad <ivar.grimstad@xxxxxxxxxxxxxxxxxxxxxx>
Subject: [External] : [jakartaee-platform-dev] Fwd: [ec] JSR 399 (Java SE 24): JEP Proposed to Target: 486: Permanently Disable the Security Manager
 
It looks like we made the right choice by removing all references to the Security Manager in Jakarta EE 11.

Ivar

---------- Forwarded message ---------
From: Iris Clark <iris.clark@xxxxxxxxxx>
Date: Sat, Nov 2, 2024 at 12:16 AM
Subject: [ec] JSR 399 (Java SE 24): JEP Proposed to Target: 486: Permanently Disable the Security Manager
To: java-se-spec-experts@xxxxxxxxxxx <java-se-spec-experts@xxxxxxxxxxx>


The following JEP with scope "SE" has been proposed to target JDK 24:

  486: Permanently Disable the Security Manager
       https://openjdk.org/jeps/486

  Summary: The Security Manager has not been the primary means of
  securing client-side Java code for many years, it has rarely been used
  to secure server-side code, and it is costly to maintain.  We therefore
  deprecated it for removal in Java 17 via JEP 411 (2021).  As the next
  step toward removing the Security Manager, we will revise the Java
  Platform specification so that developers cannot enable it and other
  Platform classes do not refer to it.  This change will have no impact
  on the vast majority of applications, libraries, and tools.  We will
  remove the Security Manager API in a future release.

The announced deadline for feedback to jdk-dev is Fri 8 Nov 20:00 UTC:

    https://mail.openjdk.org/pipermail/jdk-dev/2024-November/009601.html

If there are no unresolved objections at that time, then the JEP will be moved
to the Targeted state, indicating that the feature is expected to appear in
the specified release of the JDK Project.  For more information about states,
see the JEP Process document:

    https://openjdk.org/jeps/1

A dashboard that lists JEPs with "SE" scope may be found via a link on this
page:

    https://openjdk.org/projects/jdk/24/spec/

Thanks,
Iris


--

Ivar Grimstad

Jakarta EE Developer Advocate | Eclipse Foundation Eclipse Foundation - Community. Code. Collaboration. 

_______________________________________________
rest-dev mailing list
rest-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org
_______________________________________________
rest-dev mailing list
rest-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org


--
Thanks
Emily


Back to the top