New candidate JEP: 411: Deprecate the Security Manager for Removal

Geertjan Wielenga geertjan at
Thu Apr 29 06:44:32 UTC 2021

Also, from the point of view of Apache NetBeans, here’s a list of our
concerns with these developments:

Apache NetBeans doesn't use java.lang.SecurityManager to guarantee
security, but rather to gain additional insight into the JVM's behavior.
Without having such insights, the IDE's user experience would be severely

Are replacement APIs being designed and will they be provided for
evaluation before JEP-411 is integrated?


On Thu, 29 Apr 2021 at 07:38, Peter Firmstone <peter.firmstone at>

> Which version of Java is this planned for?   Will the last version
> supporting the security manager be a long term support version, eg back
> ports of security patches and TLS technologies?
> We have our own security manager implementation and policy provider
> implementations.  Both of these are high performance and non-blocking
> and we are able to dynamically grant and revoke some permissions.
> While I acknowledge the Java policy implementation has a significant
> performance impact, due to blocking permission checks, ours is less than
> 1%.  Our software doesn't share PermissionCollection instances among
> threads, or even have a Permissions cache, PermissionCollection's are
> generated for each permission check and discarded for garbage
> collection, the Permission object themselves are cached (after
> initialization and safe publication), as are the results of repeated
> permission checks.  We also have our own Permission implementations.
> We have tools that generate policy files with least privilege, although
> we will manually alter them with wildcards, for network connections for
> instance.
> In our software, dynamic permissions are granted after authentication of
> TLS connections.
> It is too early for me to tell if there are suitable replacement
> technologies available.  I can understand the motivation for reducing
> Java's software development burden, but I think this version of Java
> might be the last for us, it would certainly be good if a long term
> support version was available, perhaps indefinitely lol.
> Regards,
> Peter Firmstone
> Zeus Project Services Pty Ltd.
> On 16/04/2021 4:05 am, mark.reinhold at wrote:
> >
> >
> >    Summary: Deprecate the Security Manager for removal in a future
> >    release. The Security Manager dates from Java 1.0. It has not been the
> >    primary means of securing client-side Java code for many years, and it
> >    has rarely been used to secure server-side code. To move Java forward,
> >    we intend to deprecate the Security Manager for removal in concert
> with
> >    the legacy Applet API (JEP 398).
> >
> > - Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security-dev mailing list