New candidate JEP: 411: Deprecate the Security Manager for Removal

[Sean Mullan]

-bcc jdk-dev at openjdk.java.net

On 4/18/21 7:50 PM, David Black wrote:
> On Fri, 16 Apr 2021 at 04:05, <mark.reinhold at oracle.com 
> <mailto:mark.reinhold at oracle.com>> wrote:
> 
>     https://openjdk.java.net/jeps/411 <https://openjdk.java.net/jeps/411>
> 
>        Summary: Deprecate the Security Manager for removal in a future
>        release. The Security Manager dates from Java 1.0. It has not
>     been the
>        primary means of securing client-side Java code for many years,
>     and it
>        has rarely been used to secure server-side code. To move Java
>     forward,
>        we intend to deprecate the Security Manager for removal in
>     concert with
>        the legacy Applet API (JEP 398).
> 
>     - Mark
> 
> 
> Hi,
> How can those interested in the JEP get involved?

Please provide feedback on the security-dev at openjdk.java.net list.

--Sean

> (I am asking because Atlassian makes use of a custom java security 
> manager, based on the manas security manager[0], to help mitigate SSRF 
> attacks[1])
> 
> 
> [0] - https://code.google.com/archive/p/manas-java-security/ 
> <https://urldefense.com/v3/__https://code.google.com/archive/p/manas-java-security/__;!!GqivPVa7Brio!PsDzWY7_ryf1CEnmamjneeZGf1So0LpFHroUEuj1sM-l-SxcOLoUAXeSk_v4QMDV$>
> [1] - 
> https://github.com/asecurityteam/ssrf-protection-example-manas-security-manager/blob/master/example-security-manager-core/src/main/java/com/google/security/manas/ManasSecurityManager.java#L410 
> <https://urldefense.com/v3/__https://github.com/asecurityteam/ssrf-protection-example-manas-security-manager/blob/master/example-security-manager-core/src/main/java/com/google/security/manas/ManasSecurityManager.java*L410__;Iw!!GqivPVa7Brio!PsDzWY7_ryf1CEnmamjneeZGf1So0LpFHroUEuj1sM-l-SxcOLoUAXeSkzkSdzNW$>
>