Hello Stefan,
On 19/08/21 1:15 pm, Stefan Bodewig wrote:
On 2021-08-05, Jaikiran Pai wrote:
Ant project will be impacted by this. Ant provides a "permissions"
type[1] whose whole goal is to integrate with the Java SecurityManager
to allow users to configure the necessary security permissions. With
the SecurityManager and the APIs potentially gone after Java 17, we
can no longer support this. One additional point to note here is that,
Ant also uses the SecurityManager APIs even when "permissions" type is
not involved, at least in the "java" task and the "junit" task, where
we setup a SecurityManager with very minimal permissions.
At a cursory glance I only see JUnitTask and ExecuteJava deal with the
SecurityManager if permissions have been defined. Where else do we use
one?
From what I see in the Java task code[1], the "execute()" method of
that task calls, "checkConfiguration()"[2] method, which in a non-forked
mode, creates a Permissions instance if no explicit permissions has been
configured[3]. After this is done, when it then calls the ExecuteJava
class it finds this non-null Permissions instance and ends up setting up
the SecurityManager using the security manager APIs[4]. Effectively,
even if users haven't configured any permissions, we end up using a
security manager.
[1]
https://github.com/apache/ant/blob/master/src/main/org/apache/tools/ant/taskdefs/Java.java
[2]
https://github.com/apache/ant/blob/master/src/main/org/apache/tools/ant/taskdefs/Java.java#L142
[3]
https://github.com/apache/ant/blob/master/src/main/org/apache/tools/ant/taskdefs/Java.java#L205
[4]
https://github.com/apache/ant/blob/master/src/main/org/apache/tools/ant/taskdefs/ExecuteJava.java#L215
-Jaikiran
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org
