RFR: 8348967: Deprecate security permission classes for removal
David M. Lloyd
duke at openjdk.org
Fri Apr 4 13:53:57 UTC 2025
On Fri, 4 Apr 2025 12:42:36 GMT, Sean Mullan <mullan at openjdk.org> wrote:
> Please review this change to terminally deprecate the following security related permission classes: `java.security.AllPermission`, `java.security.UnresolvedPermission`, `javax.net.ssl.SSLPermission`, `javax.security.auth.AuthPermission`, `javax.security.auth.PrivateCredentialPermission`, `javax.security.auth.kerberos.DelegationPermission`, `javax.security.auth.kerberos.ServicePermission`, `com.sun.security.jgss.InquireSecContextPermission`. These classes were only useful in conjunction with the Security Manager, which is no longer supported.
I agree with most of these, however the permissions infrastructure *itself* is still used for user-level authorization (at least in WildFly/JBoss middleware, and I would assume other places as well). Part of this infrastructure does rely on `AllPermission` and its `PermissionCollection`. I don't see a reason to deprecate `AllPermission` before deprecating `Permission` itself.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/24445#issuecomment-2778791218
More information about the security-dev
mailing list