I think JSPWiki’s security is JAAS/container-managed with our Permission/ACL layer; it isn’t built on the JDK SecurityManager. The only SM-adjacent touchpoint is the deprecated Session#doPrivileged(...) wrapper—barely used and not on the auth/ACL path—so 3.0.0 is the right time to drop it and document.
Arturo On Wed, Oct 1, 2025 at 12:02 PM Jürgen Weber <[email protected]> wrote: > I believe the jspwiki Security is built around the SecurityManager, isn't > it? > Removing the dependency is better for 3.1 > > Arturo Bernal <[email protected]> schrieb am Mi., 1. Okt. 2025, 11:37: > > > Hi All, > > > > +1 (binding). 3.0.0 is the right line in the sand: remove the Security > > Manager–dependent API and other long-deprecated code, finish the > > javax→Jakarta cleanup, and baseline JDK 17 > > > > cheers, > > Arturo > > > > > > Arturo > > > > > > On Tue, Sep 30, 2025 at 8:52 PM Juan Pablo Santos Rodríguez < > > [email protected]> wrote: > > > > > Hi! > > > > > > While going through the code I've noticed that jspwiki-api not only > > > contained a method relying on javax, thus implying a major version), > > > but there's also a method [#1] which uses classes from the Security > > > Manager, marked Deprecated and for removal at a latter version (done > > > in JDK-24, IIRC). This method is barely used throughout the code, and > > > I suspect is less used on third party extensions. > > > > > > As such, I'd like to remove it from the jspwiki-api module, so we > > > avoid a breaking change in a future release, and also remove the rest > > > of the related deprecated code throughout the code base. > > > > > > This way JSPWiki should be able to run using JDK 17 to 25. Thoughts? > > > > > > > > > cheers, > > > juan pablo > > > > > > [#1]: > > > > > > https://github.com/apache/jspwiki/blob/master/jspwiki-api/src/main/java/org/apache/wiki/api/core/Session.java#L240-L252 > > > > > >
