Hi all, I've created a branch here: https://github.com/apache/tomee/tree/jdk24 that includes the same changes as shown in [1], allowing TomEE to run on Java 24. This is necessary due to the removal and deprecation of several SecurityManager-related classes. Some of these now throw exceptions in Java 24, preventing TomEE from running / starting altogether.
I completed a full build with Java 24 [2], and the only failures observed were related to EJB method permission tests. Since Java 21, most of the affected classes have become no-ops, meaning EJB method permissions are no longer effectively enforced (as confirmed by running tests on Java 21+). Given this, I propose we merge these changes after careful review. We can keep other SecurityManager-related logic, like Subject.doAsPrivileged, for now—especially since EE10 still targets Java 17, where these are deprecated but functional. In the longer term, we can look into bridging/adapting these, as other ASF projects have done. It would also be important to add a note on our download page that running TomEE on Java 21+ currently does not guarantee EJB method security. From my perspective, merging these changes would benefit users who aren’t relying on EJB method security, enabling them to run TomEE on Java 24 (an LTS release). I'd like to open a discussion on how best to move forward with this. Gruß Richard [1] https://github.com/apache/tomee/commit/6d779321ddb9111cb46e7cd7f8e27929ff8bc3cc [2] https://ci-builds.apache.org/job/Tomee/job/pull-request-manual-jdk24/7/
