blizzard of deprecation warnings related to JEP 411

[Rick Hillegas]

Resending this message from the account associated with my security-dev 
subscription, in the hope that this will bypass moderation:

Rory O'Donnell recommended that I bring this issue to the security 
developers' mailing list. I work on Apache Derby. Derby is one of the 
applications which receive advance notice of new Open JDK distributions. 
We then build our application with the new JDK's javac and javadoc tools 
and we run our full test suite against the new JVM. As a canary in the 
mineshaft, we noticed the following significant disruption.

When I tried to build Derby with the Rampdown Phase One build of open 
JDK 17 (17-ea+26-2439), I saw many warnings related to the deprecation 
of Security Manager classes and methods, undoubtedly the consequence of 
JEP 411 (https://openjdk.java.net/jeps/411). Derby, like Tomcat, 
embraced the Security Manager early on. Permissions checks were 
rototilled across the whole code base and our distributions ship with 
several template policy files, which we encourage users to customize for 
their environments. The "Configuring Java Security" section of our 
Security Guide explains how to do this 
(https://db.apache.org/derby/docs/10.15/security/index.html).

My build only reported the first 100 warnings. It is likely that there 
are many more.

Having read the summary of JEP 411, I understand the motivation for this 
change. However, I don't understand how applications like Tomcat and 
Derby are supposed to respond to the new blizzard of deprecation 
warnings. For instance, is there a replacement for the deprecated 
AccessController.doPrivileged() method? Or are we supposed to simply 
disable this deprecation check? Is there some security expert whom I 
should contact about this change and how to mitigate its effects?

Thanks,
-Rick