Request - Preparation for removal of SecurityManager
Sean Mullan
sean.mullan at oracle.com
Tue Oct 25 19:55:11 UTC 2022
When support for the Security Manager is removed, there would be little
benefit to keeping the permission checks inside the JDK, since it would
no longer be possible to set a Security Manager. Also, many APIs that
perform permission checks will likely be modified to no longer throw
SecurityException.
--Sean
On 10/25/22 2:25 AM, Peter Firmstone wrote:
> Would the OpenJDK team consider the following?
>
> Where SecurityManager is invoked directly now, such as:
>
>
> @SuppressWarnings("removal")
> SecurityManager sm = System.getSecurityManager();
> if (sm != null)
> sm.checkPermission(new RuntimePermission("setFactory"));
>
> Can we change these routines to the simpler form:
>
> newRuntimePermission("setFactory").checkGuard(null);
>
> This will give us more time to transition to a replacement authorization
> layer.
>
> We can instrument the Permission#checkGuard method, this will assist us
> to utilise existing Permission check hooks after SecurityManager is
> removed. Longer term we will need to maintain our own instrumentation
> hooks, but this will go a long way towards giving us a head start, by
> leveraging the existing.
>
More information about the security-dev
mailing list