My complaint is that jspwiki reads in and parses the web.xml file at bootup to get the security roles. Anything not listed is ignored. This could be a bit more dynamic. Servlet request.isUserInRole is all we really need instead of all the caching and middlewear code in the middle. Makes it hard for users backed by ldap to quickly and easily add new roles, especially in a docker container
On Wed, Oct 1, 2025, 7:32 AM Arturo Bernal <[email protected]> wrote: > I think JSPWiki’s security is JAAS/container-managed with our > Permission/ACL layer; it isn’t built on the JDK SecurityManager. The only > SM-adjacent touchpoint is the deprecated Session#doPrivileged(...) > wrapper—barely used and not on the auth/ACL path—so 3.0.0 is the right time > to drop it and document. > > Arturo > > > On Wed, Oct 1, 2025 at 12:02 PM Jürgen Weber <[email protected]> wrote: > > > I believe the jspwiki Security is built around the SecurityManager, isn't > > it? > > Removing the dependency is better for 3.1 > > > > Arturo Bernal <[email protected]> schrieb am Mi., 1. Okt. 2025, 11:37: > > > > > Hi All, > > > > > > +1 (binding). 3.0.0 is the right line in the sand: remove the Security > > > Manager–dependent API and other long-deprecated code, finish the > > > javax→Jakarta cleanup, and baseline JDK 17 > > > > > > cheers, > > > Arturo > > > > > > > > > Arturo > > > > > > > > > On Tue, Sep 30, 2025 at 8:52 PM Juan Pablo Santos Rodríguez < > > > [email protected]> wrote: > > > > > > > Hi! > > > > > > > > While going through the code I've noticed that jspwiki-api not only > > > > contained a method relying on javax, thus implying a major version), > > > > but there's also a method [#1] which uses classes from the Security > > > > Manager, marked Deprecated and for removal at a latter version (done > > > > in JDK-24, IIRC). This method is barely used throughout the code, and > > > > I suspect is less used on third party extensions. > > > > > > > > As such, I'd like to remove it from the jspwiki-api module, so we > > > > avoid a breaking change in a future release, and also remove the rest > > > > of the related deprecated code throughout the code base. > > > > > > > > This way JSPWiki should be able to run using JDK 17 to 25. Thoughts? > > > > > > > > > > > > cheers, > > > > juan pablo > > > > > > > > [#1]: > > > > > > > > > > https://github.com/apache/jspwiki/blob/master/jspwiki-api/src/main/java/org/apache/wiki/api/core/Session.java#L240-L252 > > > > > > > > > >
