JEP 411 - Secure Java Distribution
Ron Pressler
ron.pressler at oracle.com
Tue Jun 1 10:02:28 UTC 2021
That depends what you mean by “acceptable.” You can maintain a version of the Java SE spec that
contains the Security Manager forever. If you want to add the SecurityManager to a version of
the spec that doesn’t contain it (or contains it but behaves in a degraded manner) then that
will not pass the JCK even when no Security Manager is installed, as the spec requires that
“spec-owned” APIs are neither removed *nor added*.
You could create a JDK targeting such a version that still passes the JCK with an API *similar* to
SecurityManager but that isn’t in any of the spec’s namespaces.
Of course, OpenJDK has an open-source license, and you can do what you want with that code in accordance
with the license even if you don’t pass the JCK. Adding *new* files that are not currently covered by
the license might have other issues if they interfere with the spec in some way, and you’ll need to
consult with the appropriate people.
— Ron
> On 1 Jun 2021, at 10:06, Peter Firmstone <peter.firmstone at zeus.net.au> wrote:
>
> If a vendor were to continue supporting SecurityManager and was backporting from OpenJDK, if it passes the JCK with SecurityManager disabled, that's still acceptable right?
>
> --
> Regards,
> Peter Firmstone
>
More information about the security-dev
mailing list