+1 on Markus' proposal to make TomEE compatible with Java 24+, I love this approach !
Alex Le mar. 8 juil. 2025 à 12:39, Markus Jung <ju...@apache.org> a écrit : > > Hello Richard, > > > long-term we should definitely try to fix the EJB method security on > Java 24+, and having TomEE be compatible with the latest Java releases > shouldn't even be up for discussion. > > My 2 cents would be to: > > - Put a disclaimer on the website > > - Log a warning when TomEE detects JDK 24+ or possibly even fail the > deployment if TomEE detects the usage of security annotations that would > not work on Java 24, also introducing an "allow insecure deployments, I > know what I'm doing" property to overwrite this behavior > > > Thanks > > Markus > > On 26.06.25 08:50, Richard Zowalla wrote: > > Hi all, > > > > I've created a branch here: https://github.com/apache/tomee/tree/jdk24 that > > includes the same changes as shown in [1], allowing TomEE to run on Java > > 24. This is necessary due to the removal and deprecation of several > > SecurityManager-related classes. Some of these now throw exceptions in Java > > 24, preventing TomEE from running / starting altogether. > > > > I completed a full build with Java 24 [2], and the only failures observed > > were related to EJB method permission tests. Since Java 21, most of the > > affected classes have become no-ops, meaning EJB method permissions are no > > longer effectively enforced (as confirmed by running tests on Java 21+). > > > > Given this, I propose we merge these changes after careful review. > > > > We can keep other SecurityManager-related logic, like > > Subject.doAsPrivileged, for now—especially since EE10 still targets Java > > 17, where these are deprecated but functional. In the longer term, we can > > look into bridging/adapting these, as other ASF projects have done. It > > would also be important to add a note on our download page that running > > TomEE on Java 21+ currently does not guarantee EJB method security. > > > > From my perspective, merging these changes would benefit users who aren’t > > relying on EJB method security, enabling them to run TomEE on Java 24 (an > > LTS release). > > > > I'd like to open a discussion on how best to move forward with this. > > > > Gruß > > Richard > > > > [1] > > https://github.com/apache/tomee/commit/6d779321ddb9111cb46e7cd7f8e27929ff8bc3cc > > [2] https://ci-builds.apache.org/job/Tomee/job/pull-request-manual-jdk24/7/ > >
