Authorization Layer post JEP 411
Peter Firmstone
peter.firmstone at zeus.net.au
Thu Jun 3 21:59:40 UTC 2021
Sean,
Also moving forward we currently preserve AccessControlContext across
threads, and we do this to establish TLS connections for call backs.
Will there be a new way to preserve the calling Subject across threads,
so we can perform callbacks over TLS?
Regards,
--
Regards,
Peter Firmstone
On 4/06/2021 7:39 am, Peter Firmstone wrote:
> Hi Sean,
>
> Developers are still going to need single points of control, where we
> can attach our agents to Java's API's. We can't be playing a game of
> whack a mole trying to lock down the JDK.
>
> It's fair enough that OpenJDK no longer wishes to maintain
> SecurityManager, however there are those of us who have to implement
> authorization layers and access controls and we don't have the luxury
> of choice.
>
> So we've established that we need to use Agents and StackWalker now to
> implement our authorization layer.
>
> It will be some years before we are able to keep up to date with Java
> releases again, but now we need to focus on how to achieve that.
>
> Regarding your questions, the performance problems, were related to
> Java's FilePolicy implementation, I solved those issues by replacing
> it, but you're already aware of that, I was highlighting the struggle
> that developers have with Java security, but also that JAAS is a
> common foundation for user authorisation, so I hope that it will be
> improved, rather than removed. I of course also use JAAS to establish
> TLS connections.
>
> If there's anything else OpenJDK is thinking about, thinking about
> removing, then we need to know, so we don't use them in our new
> authorization layer.
>
More information about the security-dev
mailing list