Status: JDK-8191136 Remove deprecated java.security.{Certificate, Identity, IdentityScope, Signer} APIs
Eirik Bjørsnøs
eirbjo at gmail.com
Thu Apr 20 22:19:14 UTC 2023
>
> I gave Oracle WebLogic Server 14.1.1 a spin on 21-internal with Identity
> and friends removed. This version of WLS supports Java EE 8.
>
I tried the same for OpenLiberty (used in IBM WebSphere), and found two
separate problems:
1: The non-deprecated EJBContext.getCallerPrincipal() returns an instance
of java.security.Identity for the unauthenticated case. This method should
not initiate loading of this deprecated class, so an instance of
java.security.Principal should be returned instead.
2: A support class for the EJBContext implementation is loaded via
reflection using OSGi. The reflective Class.getConstructors() call fails
with java.security.Identity not present. This can be fixed by instead
constructing the instance of the service in Java via an OSGi ServiceFactory.
With these two issues fixed, OpenLiberty seems able to load and run apps
without the Identity class, as long as they are well behaved and don't call
the deprecated getCallerIdentity() method.
The above changes have been contributed to OpenLiberty as a PR:
https://github.com/OpenLiberty/open-liberty/pull/25070
Eirik.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20230421/5693f836/attachment.htm>
More information about the security-dev
mailing list