A possible JEP to replace SecurityManager after JEP 411

Alan Bateman Alan.Bateman at oracle.com
Tue Apr 26 08:28:57 UTC 2022


On 25/04/2022 13:53, David Lloyd wrote:
> Nothing in the proposal causes splitting or delegation of
> responsibilities. It is _only_ about preserving security checkpoints
> in the JDK, which *add* a layer of checks to what the container might
> already provide. Nothing is being subtracted, and thus I find it hard
> to accept that preserving these checks somehow reduces security
> overall.

"preserving security checkpoints in the JDK" suggests just leaving the 
calls do AccessController.doPrivileged and 
SecurityManager.checkPermission in place. That amounts to putting a tax 
on every feature, every JEP, and all ongoing maintenance of the 
platform. If there is refactoring or a change that forgets to insert a 
checkPermission somewhere then we have a security issue and everything 
that goes along with that. No thanks!

I think Martin is right that hooking authorization libraries into low 
level libraries isn't the right way to do this. Aside from the 
complexity methods I would add that threads pools or any hand-off 
between threads will typically break when the context is not carried.

One other point about authorization libraries wanting to hook into low 
level code is that it's a minefield of potential issues with recursive 
initialization, stack overflows and some really hard to diagnose issues. 
JDK-8155659 [1] is one report that comes to mind.

-Alan

[1] https://bugs.openjdk.java.net/browse/JDK-8155659


More information about the security-dev mailing list