Authorization Layer post JEP 411

Peter Firmstone peter.firmstone at zeus.net.au
Thu Jun 3 21:39:44 UTC 2021 

Hi Sean,

Developers are still going to need single points of control, where we 
can attach our agents to Java's API's.   We can't be playing a game of 
whack a mole trying to lock down the JDK.

It's fair enough that OpenJDK no longer wishes to maintain 
SecurityManager, however there are those of us who have to implement 
authorization layers and access controls and we don't have the luxury of 
choice.

So we've established that we need to use Agents and StackWalker now to 
implement our authorization layer.

It will be some years before we are able to keep up to date with Java 
releases again, but now we need to focus on how to achieve that.

Regarding your questions, the performance problems, were related to 
Java's FilePolicy implementation, I solved those issues by replacing it, 
but you're already aware of that, I was highlighting the struggle that 
developers have with Java security, but also that JAAS is a common 
foundation for user authorisation, so I hope that it will be improved, 
rather than removed.  I of course also use JAAS to establish TLS 
connections.

If there's anything else OpenJDK is thinking about, thinking about 
removing, then we need to know, so we don't use them in our new 
authorization layer.

-- 
Regards,
  
Peter Firmstone

On 4/06/2021 1:02 am, Sean Mullan wrote:
>
>
> On 6/2/21 7:41 PM, Peter Firmstone wrote:
>> AccessController and AccessControlContext allow backward compatiblity 
>> for JAAS.   JAAS whether we like it or not, is the default 
>> authorisation layer framework.
>>
>> http://word-bits.flurg.com/jaas-is-terrible-and-there-is-no-escape-from-it/ 
>>
>>
>
> I'm not sure why you referenced this blog which is actually advocating 
> that JAAS has *less* dependency on Security Manager APIs such as 
> AccessControlContext, whereas you seem to be advocating the opposite.
>
> In any case, I believe the first two issues in this blog will largely 
> be addressed by the deprecation of the Security Manager and the JAAS 
> related RFEs that we have filed as follow-on work to JEP 411 to remove 
> the dependencies on the SM APIs:
>
> https://bugs.openjdk.java.net/browse/JDK-8266592
> https://bugs.openjdk.java.net/browse/JDK-8267108
>
> As for the 3rd issue in the blog, it is not related to the Security 
> Manager, but I would need more time to understand the issues that were 
> described.
>
> Also the blog was written by David Lloyd who has been participating in 
> these discussions, so he may want to say more about it.
>
> --Sean

More information about the security-dev mailing list