New candidate JEP: 486: Permanently Disable the Security Manager
Sean Mullan
sean.mullan at oracle.com
Thu Oct 3 14:32:33 UTC 2024
We are aiming to do this in 24, but nothing is official until the JEP is
targeted to a specific release.
--Sean
On 10/3/24 6:28 AM, Peter Firmstone wrote:
> Which release does this target?
>
> I've been waiting to learn the affected Java release, so we can document
> which versions of Java our software can and cannot support.
>
> We'll continue to use Java beyond this release, but will need to
> maintain our own fork, as it's not possible to build an Authorization
> layer on top of Java without low level hooks, this is built into our
> software at a foundational level and cannot be removed.
>
> Thank you.
>
> Peter.
>
> On 26/09/2024 9:55 pm, Mark Reinhold wrote:
>> // Correcting Sean’s e-mail address
>>
>> https://openjdk.org/jeps/486
>>
>> Summary: The Security Manager has not been the primary means of
>> securing client-side Java code for many years, it has rarely been used
>> to secure server-side code, and it is costly to maintain. We
>> therefore
>> deprecated it for removal in Java 17 via JEP 411 (2021). As the next
>> step toward removing the Security Manager, we will revise the Java
>> Platform specification so that developers cannot enable it and other
>> Platform classes do not refer to it. This change will have no impact
>> on the vast majority of applications, libraries, and tools. We will
>> remove the Security Manager API in a future release.
>>
>> - Mark
More information about the security-dev
mailing list