[9] RFR: 8073430: Deprecate security APIs that have been superseded

Fri Mar 6 04:01:20 UTC 2015

Hi Max,

A couple of these, we probably won't be able to remove in JDK 9. I'm 
deprecating getPeerCertificateChain() in the javax.net.ssl.SSLSession 
interface in this change, so the implementation in 
sun.security.ssl.SSLSessionImpl will have to be suppressed. Also, 
X509V1CertImpl will probably have to be marked with @SupressWarnings in 
JDK 9 and then hopefully it can be removed altogether in JDK 10 along 
with javax.security.cert.

As for some of the other methods causing warnings, I think they can 
actually be removed, but I'd like to track that change in a different 
issue. I'm not sure yet, but there might have to be some minor test 
changes to accommodate the changes, too. I filed an issue to track it:
https://bugs.openjdk.java.net/browse/JDK-8074531

For now, here are my changes again with Sean's suggested changes to the 
package-info.java files.
http://cr.openjdk.java.net/~juh/8073430/01/

Thanks,
Jason

On 03/04/2015 07:14 PM, Wang Weijun wrote:
> Hi Jason
>
> I noticed several "@SuppressWarnings("deprecation")" in some sun.* or com.sun.* classes and it makes me feel uncomfortable. The usage of this annotation, if I understand correctly, means we know we should not use it but we have to use it because we are lazy or there are no better alternatives. I highly doubt if any is the case here.
>
> So, we should investigate how those methods are used. If they are strictly internal (not jdk.exported) and not used inside JDK, remove them since they will be inaccessible anymore in jdk9. If they are still used somewhere, consider rewriting them (maybe in another fix). If they are jdk.exported, rewrite if the deprecated interfaces is not shown in the API itself (type or argument or return), otherwise, @deprecate them also.
>
> Thanks
> Max
>
>> On Mar 5, 2015, at 03:02, Jason Uh <jason.uh at oracle.com> wrote:
>>
>> webrev: http://cr.openjdk.java.net/~juh/8073430/00/
>> jbs: https://bugs.openjdk.java.net/browse/JDK-8073430
>>
>> Please review this change, which deprecates the classes in java.security.acl and javax.security.cert. These packages have been superseded by replacements for a long time.
>>
>> For java.security.acl, there have been replacement APIs available since JDK 1.2 in java.security.Policy and related classes. For javax.security.cert, replacements have existed in java.security.cert since JDK 1.4. These replacements have been noted in the javadocs, so applications using these old APIs have had plenty of time to migrate.
>>
>> Two methods
>>
>>   HandshakeCompletedEvent.getPeerCertificateChain
>>   SSLSession.getPeerCertificateChain
>>
>> that return the javax.security.cert.X509Certificate type will also be deprecated.
>>
>> The change also includes deprecation warning suppression in a few areas, including sun.net.www.protocol.https.
>>
>> Thanks,
>> Jason
>