PrivilegedAction et al and JEP411
Peter Firmstone
peter.firmstone at zeus.net.au
Sun Jun 18 22:30:48 UTC 2023
Thank you for clarifying.
OpenJDK advised us it was possible to implement a new Authorization
layer above the JVM, but without any suitable hooks from within the JVM,
it's not feasible.
We will support Java until the last version we can, it's not possible
for us to re-secure our software on the Java platform going forward.
--
Regards,
Peter
On 18/06/2023 10:15 pm, Alan Bateman wrote:
> On 18/06/2023 12:52, Peter Firmstone wrote:
>>
>> Thanks Alan,
>>
>> Personally, I would hope that nothing happens until after Java 21,
>> time is precious, we'll need all the time we can get.
>>
>> I was hoping, that all privileged actions might be retained
>> indefinitely, so that we may instrument them.
>>
> Once the SM operating mode goes away then I would expect most usages
> of privileged actions in the JDK can be removed. Leaving them for an
> "authorization layer" to instrument would be misleading. Existing
> usages will quickly bit rot. It would also be a tax on all future
> features and all ongoing maintenance.
>
> -Alan.
More information about the security-dev
mailing list