New candidate JEP: 421: Deprecate Finalization for Removal

- liangchenblue at
Tue Nov 2 14:31:19 UTC 2021

Indeed. I was reminded of a discussion [1][2] back in July when I saw
this JEP candidate.

Now looking at it again, I guess we can easily prevent this risk once
this JEP is implemented (so finalizers are no-op and attacks cannot
happen even if the security manager is disallowed), and we might not
need to remove finalizers before security managers as long as we can
disable finalizers.

On Tue, Nov 2, 2021 at 9:20 AM Alan Bateman <Alan.Bateman at> wrote:
> On 02/11/2021 14:00, - wrote:
> > On a side note, will the actual removal of finalization become a
> > dependency of the actual removal of the security manager? I recall
> > when the security manager was deprecated for removal, developers
> > pointed out that there can be security risks with finalization in the
> > mailing list.
> >
> I suspect you may be thinking about classes that specify SM permission
> checks in their constructors. If so then no SM means the permission
> check doesn't do anything. If finalization is disabled or removed then
> the specific attack isn't a concern. So I think independent for that
> discussion, assuming this is what you mean.
> -Alan

More information about the jdk-dev mailing list