Resending this message from the account associated with my security-dev subscription, in the hope that this will bypass moderation:

Rory O'Donnell recommended that I bring this issue to the security developers' mailing list. I work on Apache Derby. Derby is one of the applications which receive advance notice of new Open JDK distributions. We then build our application with the new JDK's javac and javadoc tools and we run our full test suite against the new JVM. As a canary in the mineshaft, we noticed the following significant disruption.

When I tried to build Derby with the Rampdown Phase One build of open JDK 17 (17-ea+26-2439), I saw many warnings related to the deprecation of Security Manager classes and methods, undoubtedly the consequence of JEP 411 (https://openjdk.java.net/jeps/411). Derby, like Tomcat, embraced the Security Manager early on. Permissions checks were rototilled across the whole code base and our distributions ship with several template policy files, which we encourage users to customize for their environments. The "Configuring Java Security" section of our Security Guide explains how to do this (https://db.apache.org/derby/docs/10.15/security/index.html).

My build only reported the first 100 warnings. It is likely that there are many more.

Having read the summary of JEP 411, I understand the motivation for this change. However, I don't understand how applications like Tomcat and Derby are supposed to respond to the new blizzard of deprecation warnings. For instance, is there a replacement for the deprecated AccessController.doPrivileged() method? Or are we supposed to simply disable this deprecation check? Is there some security expert whom I should contact about this change and how to mitigate its effects?

Thanks,
-Rick

Reply via email to