I thought target for Jakarta EE 11 is JDK 17 and/or 21?
--
|
Steve
Millidge
Founder
&
CEO
|
From: Gurunandan Rao <gurunandan.rao@xxxxxxxxxx>
Sent: 27 November 2024 12:48
To: Steve Millidge (Payara) <steve.millidge@xxxxxxxxxxx>; jca developer discussions <jca-dev@xxxxxxxxxxx>
Cc: jakartaee-platform developer discussions <jakartaee-platform-dev@xxxxxxxxxxx>
Subject: Re: [jca-dev] [jakartaee-platform-dev] [External] : Re: Jakarta Connectors removal of Security Manager dependency
The question is related to EE 11 Platform TCK connector tests with JDK24+.
I don’t know wont that be addressed as part of Jakarta EE 12? Can you raise an issue on the GitHub to capture discussions.
--
|
Steve
Millidge
Founder & CEO
|
What will be recommended paths for enforcement of Security Permission defined within Connector 2.1 component SPEC for JDK24+?
Can the Jakarta Security Authorization API be used by an application server to enforce the default set of permissions specified in the Connector Specification 2.1, without relying on
a SecurityManager?
Not really no. These two address two opposite types of permissions.
Jakarta (Security) Authorization: User level permissions. These consider the code the server is running as trusted, and the (remote) user accessing the server as untrusted.
Java SE SecurityManager: Code level permissions. These consider the (remote) code running on a (local) system as untrusted, and the (local) user accessing the application running that code as trusted.
Particularly, Jakarta Authorization is about you running a server that want to protect against remote users logging in to that server, while the Java SE security manager is about you running an application that
you got from an untrusted source and protecting your own system against that application.
Are there Authorization APIs available that can help enforce the SecurityPermission SPI, as defined in the Connector Specification, without the need for a SecurityManager?
Not really. You could at most say that the security manager is now always disabled by default, and when the security manager is disabled the connectors get all permissions explicitly in a way.
connector 2.1 annotation:
Connector 2.1 specification violates Jakarta EE 11 Platform specification by stating that "An application server must provide a set of security permissions for executing a resource
adapter in a managed runtime environment. A resource adapter must be granted explicit permissions to access system resources".
These specific requirements in Platform EE 11 Spec and Connector 2.1 are conflicting with each other.
If a spec, xsd etc is discussing behavior that is driven by the Security Manager it seems to me that that behavior is only relevant when there is a working
SM in the runtime. Specs may not have explicitly stated that, because it was just understood. This is nothing new as most EE workloads are executed in runtimes without the SM enabled.
JEP 486 is saying there won't be a working SM anymore in SE 24, but it's not going to cause calls to the SM APIs to fail. So applications running on SE 24 are
working in the same basic situation as those that have been running for decades now in runtimes that don't have the SM enabled. So I don't see a problem here when it comes to specs, xsds etc. Something to clean up in the future, but not a problem now.
TCKs are a different matter. If an EE 11 implementation needs to run a particular TCK in order to certify, then there needs to be a way to exclude tests that
require an SM. AIUI such tests are being removed from the EE 11 platform TCK.
Jakarta EE 11 requires Java 17 as a baseline, but we can not prevent end users from using a newer JDK in their environment. JDK 24 includes a couple of new language features, which are very attractive for developers.
And when JDK 24 is released, all Jakarta EE providers should be ready for the new product for Jakarta EE 11.
I remember the *removal of the Security Manager* was a task in the initial discussion of Jakarta EE 11. Now that WildFly/OpenLiberty is aligned with the Jakarta EE 11 core profile,
the Jakarta EE platform profile is not finalized yet, there is still some room to do the cleanup of the Security Manager.
Regards,
Hantsy Bai
Self-employed consultant, fullstack developer, agile coach, freelancer/remote worker
GitHub:
https://github.com/hantsy
Twitter:
https://twitter.com/@hantsy
Jakarta EE releases are open-ended, Jakarta EE 11 release minimum Java SE is 17.
Thanks for pointing this out. It will be important for Jakarta EE 12. I do not believe it impacts Jakarta EE 11 because Jakarta EE 11 aligns with Java SE 21 and 17, not 24.
Principal Architect, Red Hat JBoss EAP
_______________________________________________
jca-dev mailing list
jca-dev@xxxxxxxxxxx
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jca-dev
|