[
https://issues.apache.org/jira/browse/HTTPCLIENT-2402?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18031542#comment-18031542
]
Istvan Toth edited comment on HTTPCLIENT-2402 at 10/22/25 6:02 AM:
-------------------------------------------------------------------
Apparently that was added in HTTPASYNC-124.
Java 25 still has that function, it's simply a Noop, so keeping the current
code would not cause any immediate problems, apart from those warnings.
[https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction])
There are three approaches for handling this:
- Do nothing. Unlike most deprecated functionality, the latest Java releases
handle this class gracefully, so it will still work in older JVMs as designed,
and do nothing in recent JVMs.
- Simply remove the code. This will break applications where the
SecurityManager would prevent getting the system properties. (it was originally
added for ElasticSearch according to the ticket)
- Create a shim that detects whether SecurityManager is supported by the JVM
and either wraps the function / Runnable in a doPrivileged code, or just runs
it straight (similar to what SecurityUtils does for doAs/Calls).
This is the same as the current behaviour, but it will keep working without
changes even if AccessController is eventually truly removed from Java.
was (Author: stoty):
Apparently that was added in HTTPASYNC-124.
Java 25 still has that function, it's simply a Noop, so keeping the current
code would not cause any immediate problems, apart from those warnings.
[https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction])
There are three approaches for handling this:
- Do nothing. Unlike some functions, the latest Java releases handle method
this gracefully, so it will still work in older JVMs as designed, and do
nothing in recent JVMs.
- Simply remove the code. This will break applications where the
SecurityManager would prevent gettinmg the system properties. (it was
originally added for elasticSearch according to the ticket)
- Create a shim that detects whether SecurityManager is supported by the JVM
and either wraps the function / Runnable in a doPrivileged code, or just runs
it straight (similar to what SecurityUtils does for doAs/Calls).
This is the same as the current behaviour, but it will keep working without
changes even if AccessController is eventually truly removed from Java.
> Handle SecurityManager removal
> ------------------------------
>
> Key: HTTPCLIENT-2402
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2402
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Reporter: Istvan Toth
> Priority: Major
>
> There are two aspect to these changes:
> - replacing Subject.doAs() with Subject.callAs()
> - handling the changed thread semantics, where the Current Subject is nonger
> propagated to new Threads.
> Httpclient doesn't currently use the disabled methods.
> They are used in HTTPCLIENT-2358, which already includes the SecurityUtils to
> map the doAs/CallAs function based on the JVM version.
> The Subject propagation issue breaks SPNEGO authentication for the Async
> client, as the Subject is no longer propagated to the executor threads for
> the Async operations.
> There is no current test for that, I will add new tests to HTTPCLIENT-2358 to
> cover this case.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
