JEP 411, removal of finalizers, a path forward.
Peter Firmstone
peter.firmstone at zeus.net.au
Sat Jul 31 03:04:07 UTC 2021
The current JEP 411 plan of action, if left unchanged, will leave
developers who adopted the SM architecture as an authorization layer
unable to upgrade to later versions of Java, until finalizers and the
finalizer attack defensive methods in constructors are removed. JEP 411
has the potential to cause significant disruption for a small proportion
of Java developers, but doesn't have to if managed appropriately.
The blocker is the ability to implement guard checks using Agents on
public API, due to finalizer attack defensive private static methods in
constructors.
Allan has advised when finalizers are removed, it will be practical to
use Agents to instrument public API to implement an authorization layer,
this is try, so can it be coordinated with JEP 411 et al?
Furthermore, as developers must support multiple Java releases, I
propose the following amendments, to ease difficulties of multiple
release support (with multi release jars):
* AccessController, AccessControlContext, DomainCombiner and related
Subject and Executors methods, remain until Java 8 is EOL in 2030.
Also consider un-deprecation of these methods, as their removal
causes shotgun surgery (used in 1000's of locations in my software
alone) and they are required for preservation of Subject, used for
obtaining TLS and Kerberos connection credentials on all existing
versions of Java.
* AccessControlContext - remove inherited thread context, replace it
with an unprivileged ProtectionDomain, such that doPrivileged
methods are required for authorization checks and only the current
thread stack needs to be walked when checks occur, and stack walks
aren't unnecessarily performed when creating new threads. This is
compatible with Loom, update loom to allow the use of
AccessControlContext to be used, to establish TLS and Kerberos
connections. Loom will be very useful for network connections,
especially long latency connections over the internet, which are
typically secured using TLS. This removes the problem of viral
checks, and Executor task privilege escalation.
* Modules that are mapped to the boot loader should get a unique PD
that includes a useful code source rather than using a "shared" PD,
this allows us to reduce the privileged footprint of the Java
platform libraries, to allow privileges to be granted to users, not
code, or users and code. This is useful to limit data parsing
privileges to authenticated users on servers (a practise that should
be more widely encouraged).
* Remove finalizers, and defensive methods in constructors where
permissions check points occur as these cause problems for Agents,
prior to removal of SecurityManager.
* Deprecate for removal Permission implementations, then remove them
in a following release.
* Remove SecurityManager.
This allows a forward migration path for poor sod's like myself who are
currently using SM infrastructure as an authorization layer, and to
establish TLS conenctions, this or at least some sort of compromise is
far preferable to the thermonuclear option currently planned.
What I would like OpenJDK to consider, is to allow developers like
myself to continue to stay current with Java, by coordinating the
removal of finalizers and defensive methods in constructors, with JEP
411, so we have a workable future migration path. Without these
considerations, options are; go back to Java 8, and plan to redevelop
existing software, if forced to do so, Java is unlikely to be on the
list for redevelopment, simply because development costs are lower in
newer languages, such as automated unit tests,
https://hackage.haskell.org/package/QuickCheck, no need to worry about
null pointers and less boilerplate.
Don't get me wrong, I like Java and have many years experience with it,
but I have to be pragmatic, it won't just be me, many other developers,
when Java 8 is EOL, will work for companies stuck on that platform,
simply due to the number of changes required, because they haven't kept
up (eg budgets) with the current release cadence and pace of
development, will be looking at redevelopment and replacement instead of
migration. Clearly the current pace of development is a good thing for
Java, but the overall strategy could be tweaked a little, to ensure
migration doesn't become insurmountable. A healthy and vibrant Java
community is essential for the survival of Java, Java has already shed
phone and client markets, lets not shed too many more.
Thanks,
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20210731/5a72b6dc/attachment.htm>
More information about the security-dev
mailing list