mattrpav commented on code in PR #1946:
URL: https://github.com/apache/karaf/pull/1946#discussion_r2080024456
##########
shell/ssh/src/main/java/org/apache/karaf/shell/ssh/ShellFactoryImpl.java:
##########
@@ -108,6 +108,7 @@ public void start(ChannelSession channelSession,
Environment environment) throws
for (Map.Entry<String, String> e :
environment.getEnv().entrySet()) {
shell.put(e.getKey(), e.getValue());
}
+ shell.put(Subject.class.getName(), subject);
Review Comment:
The JDK is deprecating for _removal_ the SecurityManager, AccessController,
and AccessControlContext classes and newer JDK builds are starting to have
those classes unavailable.
The solution is to start passing around the Subject in-session, so we can
safely start removing the AccessController references in parts of Karaf.
To ensure any Karaf command or other module using the Subject do not modify
the contents, the Subject should be created with the readOnly flag set to
'true'.
Places that perform login operations using LoginContext will need to by
modified to set the readOnly flag via subject.setReadOnly():
ref:
https://github.com/apache/karaf/blob/a021c6b4c22a0678b82cdf18ae2567e64b8add1c/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java#L87
Deprecation:
ref:
https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/lang/SecurityManager.html
ref:
https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/AccessController.html
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
