JEP proposed to target JDK 17: 411: Deprecate the Security Manager for Removal

Sean Mullan sean.mullan at oracle.com
Fri May 28 22:52:45 UTC 2021


We have updated the JEP with a few changes to the "Issue Warnings" 
section [1], summarized as follows:

If the Java runtime is started without setting the system property 
'java.security.manager' then a custom Security Manager can be installed 
dynamically by calling System::setSecurityManager, just as in Java 16. 
No UnsupportedOperationException will be thrown. This call will, 
however, issue a warning message explaining that the Security Manager is 
deprecated and will be removed in a future release.

We plan to change the default value of the 'java.security.manager' 
system property to "disallow" in the next release, i.e., Java 18. That 
will cause System::setSecurityManager to throw an 
UnsupportedOperationException in Java 18.

With these changes, the process of deprecating and eventually removing 
the Security Manager will be consistent with our treatment of past 
breaking changes such as, e.g., the strong encapsulation of internal 
APIs. Maintainers of libraries and applications will be given fair 
warning before any existing code is broken.

--Sean

[1] https://openjdk.java.net/jeps/411#Issue-warnings

On 5/21/21 7:03 PM, mark.reinhold at oracle.com wrote:
> The following JEP is proposed to target JDK 17:
> 
>    411: Deprecate the Security Manager for Removal
>         https://openjdk.java.net/jeps/411
> 
>    Summary: Deprecate the Security Manager for removal in a future
>    release. The Security Manager dates from Java 1.0. It has not been the
>    primary means of securing client-side Java code for many years, and it
>    has rarely been used to secure server-side code. To move Java forward,
>    we intend to deprecate the Security Manager for removal in concert with
>    the legacy Applet API (JEP 398).
> 
> Feedback on this proposal from JDK Project Committers and Reviewers [1]
> is more than welcome, as are reasoned objections.  If no such objections
> are raised by 23:59 UTC on Friday, 28 May, or if they’re raised and
> then satisfactorily answered, then per the JEP 2.0 process proposal [2]
> I’ll target this JEP to JDK 17.
> 
> - Mark
> 
> 
> [1] https://openjdk.java.net/census#jdk
> [2] https://cr.openjdk.java.net/~mr/jep/jep-2.0-02.html
> 


More information about the jdk-dev mailing list