Authorization Layer post JEP 411
Sean Mullan
sean.mullan at oracle.com
Thu Jun 3 15:02:58 UTC 2021
On 6/2/21 7:41 PM, Peter Firmstone wrote:
> AccessController and AccessControlContext allow backward compatiblity
> for JAAS. JAAS whether we like it or not, is the default authorisation
> layer framework.
>
> http://word-bits.flurg.com/jaas-is-terrible-and-there-is-no-escape-from-it/
>
I'm not sure why you referenced this blog which is actually advocating
that JAAS has *less* dependency on Security Manager APIs such as
AccessControlContext, whereas you seem to be advocating the opposite.
In any case, I believe the first two issues in this blog will largely be
addressed by the deprecation of the Security Manager and the JAAS
related RFEs that we have filed as follow-on work to JEP 411 to remove
the dependencies on the SM APIs:
https://bugs.openjdk.java.net/browse/JDK-8266592
https://bugs.openjdk.java.net/browse/JDK-8267108
As for the 3rd issue in the blog, it is not related to the Security
Manager, but I would need more time to understand the issues that were
described.
Also the blog was written by David Lloyd who has been participating in
these discussions, so he may want to say more about it.
--Sean
More information about the security-dev
mailing list