Re: [jakartaee-platform-dev] [External] : Reduce emphasis on security ma

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jakartaee-platform-dev] [External] : Reduce emphasis on security manager in EE 10?

From: Lukas Jungmann <lukas.jungmann@xxxxxxxxxx>
Date: Wed, 18 Aug 2021 13:32:39 +0200
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Vg0C/ORRRLLwTNoPrVqRxz6oDiWcg+PuR11nxXZJOfA=; b=KN3TdU523SK795sdp3JTmkYVTuUpfOGCoT7FOA7opq7kqyU8C9OzGi7KnVC0R406mMY5RJb7wByLJ3QhPGOvQ2ALvBakj5V9HslJ2Br1bnH2MIfMGECOCeT+h5WJDdA4K5FN3k5+8txgSCDfBp4HotTSxvm7OXpZWL899Ao/OjBp6WCvlanl1WDe4P8iamISb1V8E6JiNztdxuyS6KJXhy/Mk8ks7cXkLLeW16uuRYl+oZ/+uBStz0SPJByup1K/auEXfUjUu61jOClHIu+zyzi5gsB1f2BHFoFWY9L88YMmbpr9ol87OHVlaun1i+9rkAtKbmkkI32DHF0sqBTGsw==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q1BSwuAWPda5EqKQeAgY484IyLqUxQml2i3+hm+6TsfZPHVIdhgGUJSNWco07qWaooYwmoWZ+PcyHKf4tHVFcpi8SxVoLNtp/qEhj2/OcTRrhLNgz+ThIFuq5dtLJe36nPgJOnreymoEgIuffhU2WvcyZtzRvfJs5yTMi7j0zgSmriHrCaMaaVNSGZgTKewgXhkKlGH3Jo65M622SQfTE/upzN7Q6lfzuQI1PG2V4GMMoU7xeiTdFcvjGSx9lPmZ6XP0SL/elX8NRiyIosCxWvQUdKBAwt2cKaDDwmyF+/duhH3HMAB0BPKEWLqeRl/eyzVKZKl3iRRknLkCLhrkMw==
Delivered-to: jakartaee-platform-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jakartaee-platform-dev/>
List-help: <mailto:jakartaee-platform-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev>, <mailto:jakartaee-platform-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jakartaee-platform-dev>, <mailto:jakartaee-platform-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.13.0

On 8/17/21 10:46 PM, Scott Marlow wrote:

On 8/17/21 2:14 PM, Lukas Jungmann wrote:
Hi,

On 7/29/21 3:51 PM, arjan tijms wrote:
Hi,
The Jakarta Platform has a very strong emphasis on the securitymanager, especially when it comes to TCK testing. A lot (oreverything?) is tested with the security manager enabled, andconstituent specs and implementations have to comply with that.
As the security manager has been deprecated for removal in JDK 17, Iwonder if we should not start taking the first steps in EE 10 toanticipate for this, even though EE 10 is not targeting JDK 17.
Perhaps we could start with making security manager enabled TCK runsoptional?
It looks like this got buried here - have you had a chance to discussthis with Scott (cc'ed), ie through different channel, already?
I think that he tests that specifically require the security manager areunder { ejb30/sec, connector, servlet, securityapi }.

I've done quick search over the specs to see the impact there and basedon my findings:

- ~90% of usages of security manager are null checks followed by thedeprecated for removal call to AccessController.doPrivileged if sm isnot null. This in particular applies to following specs:

CDI
Security
Authorization
Mail
Activation
SOAP
XML Binding
XML WS
Batch
Persistence
Validation


- calls to SecurityManager.checkPermission are in:
Authorization
Authentication
Security
XML Binding
REST

- there are also few specs defining custom Permission classes which arenot deprecated (yet?) but the JEP mentions that these custom classes maybecome useless once the SecurityManager goes away in JDK 18+. Does theplatform want to follow the JEP and start the process for removing themby deprecating them in the EE 10 or is the preferred solution to waitfor now? Applies to:

Authorization
Security
XML Binding
XML WS

thanks,
--lukas

Do we know which JDK classes will definitely be removed along with thesecurity manager? The TCK doesn't have a good way to deal with missingsecurity manager related classes.
thanks,
--lukas
Kind regards,
Arjan

_______________________________________________
jakartaee-platform-dev mailing list
jakartaee-platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visithttps://urldefense.com/v3/__https://www.eclipse.org/mailman/listinfo/jakartaee-platform-dev__;!!ACWV5N9M2RV99hQ!dg74znjhBmn8jZ5FrmxPZx8H-Krvvh1j0v6o293w_B8kx04mdIcrnm8_s1IXoFlyrjw$

Follow-Ups:
- Re: [jakartaee-platform-dev] [External] : Reduce emphasis on security manager in EE 10?
  - From: arjan tijms

References:
- [jakartaee-platform-dev] Reduce emphasis on security manager in EE 10?
  - From: arjan tijms
- Re: [jakartaee-platform-dev] [External] : Reduce emphasis on security manager in EE 10?
  - From: Lukas Jungmann
- Re: [jakartaee-platform-dev] [External] : Reduce emphasis on security manager in EE 10?
  - From: Scott Marlow

Prev by Date: Re: [jakartaee-platform-dev] [External] : Reduce emphasis on security manager in EE 10?
Next by Date: Re: [jakartaee-platform-dev] [External] : Reduce emphasis on security manager in EE 10?
Previous by thread: Re: [jakartaee-platform-dev] [External] : Reduce emphasis on security manager in EE 10?
Next by thread: Re: [jakartaee-platform-dev] [External] : Reduce emphasis on security manager in EE 10?
Index(es):
- Date
- Thread

Breadcrumbs