Hello Richard,
long-term we should definitely try to fix the EJB method security on
Java 24+, and having TomEE be compatible with the latest Java releases
shouldn't even be up for discussion.
My 2 cents would be to:
- Put a disclaimer on the website
- Log a warning when TomEE detects JDK 24+ or possibly even fail the
deployment if TomEE detects the usage of security annotations that would
not work on Java 24, also introducing an "allow insecure deployments, I
know what I'm doing" property to overwrite this behavior
Thanks
Markus
On 26.06.25 08:50, Richard Zowalla wrote:
Hi all,
I've created a branch here: https://github.com/apache/tomee/tree/jdk24 that
includes the same changes as shown in [1], allowing TomEE to run on Java 24.
This is necessary due to the removal and deprecation of several
SecurityManager-related classes. Some of these now throw exceptions in Java 24,
preventing TomEE from running / starting altogether.
I completed a full build with Java 24 [2], and the only failures observed were
related to EJB method permission tests. Since Java 21, most of the affected
classes have become no-ops, meaning EJB method permissions are no longer
effectively enforced (as confirmed by running tests on Java 21+).
Given this, I propose we merge these changes after careful review.
We can keep other SecurityManager-related logic, like Subject.doAsPrivileged,
for now—especially since EE10 still targets Java 17, where these are deprecated
but functional. In the longer term, we can look into bridging/adapting these,
as other ASF projects have done. It would also be important to add a note on
our download page that running TomEE on Java 21+ currently does not guarantee
EJB method security.
From my perspective, merging these changes would benefit users who aren’t
relying on EJB method security, enabling them to run TomEE on Java 24 (an LTS
release).
I'd like to open a discussion on how best to move forward with this.
Gruß
Richard
[1]
https://github.com/apache/tomee/commit/6d779321ddb9111cb46e7cd7f8e27929ff8bc3cc
[2] https://ci-builds.apache.org/job/Tomee/job/pull-request-manual-jdk24/7/