RFR: 8344420: Remove Security Manager dependencies from javax.security package [v2]
Bradford Wetmore
wetmore at openjdk.org
Tue Nov 26 02:07:37 UTC 2024
On Mon, 25 Nov 2024 20:33:49 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Now that JEP 486 has been integrated, the `javax.security` package implementation dependencies on `System.getSecurityManager`, `AccessController.doPrivileged` and `AccessControlContext` can be removed.
>>
>> Most of the changes are straightforward: removal of code calling `System.getSecurityManager()` and unwrapping of code inside `AccessController.doPrivileged`. However, two changes involved slightly more complicated work:
>>
>> 1. `javax.security.auth.login.Configuration` and `javax.security.auth.login.LoginContext` do not need to capture the caller's access control context anymore.
>> 2. The `SecureSet` implementation in `javax.security.auth.Subject` is greatly simplified because it does not do security checks anymore.
>
> Sean Mullan has updated the pull request incrementally with one additional commit since the last revision:
>
> Restore some local variables to be final.
I only looked over javax.security.cert. That part LGTM.
-------------
Marked as reviewed by wetmore (Reviewer).
PR Review: https://git.openjdk.org/jdk/pull/22368#pullrequestreview-2460046181
More information about the security-dev
mailing list