Hi Sean,
Developers are still going to need single points of control, where we
can attach our agents to Java's API's. We can't be playing a game of
whack a mole trying to lock down the JDK.
It's fair enough that OpenJDK no longer wishes to maintain
SecurityManager, however there are those of us who have to implement
authorization layers and access controls and we don't have the luxury of
choice.
So we've established that we need to use Agents and StackWalker now to
implement our authorization layer.
It will be some years before we are able to keep up to date with Java
releases again, but now we need to focus on how to achieve that.
Regarding your questions, the performance problems, were related to
Java's FilePolicy implementation, I solved those issues by replacing it,
but you're already aware of that, I was highlighting the struggle that
developers have with Java security, but also that JAAS is a common
foundation for user authorisation, so I hope that it will be improved,
rather than removed. I of course also use JAAS to establish TLS
connections.
If there's anything else OpenJDK is thinking about, thinking about
removing, then we need to know, so we don't use them in our new
authorization layer.
--
Regards,
Peter Firmstone
On 4/06/2021 1:02 am, Sean Mullan wrote:
On 6/2/21 7:41 PM, Peter Firmstone wrote:
AccessController and AccessControlContext allow backward compatiblity
for JAAS. JAAS whether we like it or not, is the default
authorisation layer framework.
http://word-bits.flurg.com/jaas-is-terrible-and-there-is-no-escape-from-it/
I'm not sure why you referenced this blog which is actually advocating
that JAAS has *less* dependency on Security Manager APIs such as
AccessControlContext, whereas you seem to be advocating the opposite.
In any case, I believe the first two issues in this blog will largely
be addressed by the deprecation of the Security Manager and the JAAS
related RFEs that we have filed as follow-on work to JEP 411 to remove
the dependencies on the SM APIs:
https://bugs.openjdk.java.net/browse/JDK-8266592
https://bugs.openjdk.java.net/browse/JDK-8267108
As for the 3rd issue in the blog, it is not related to the Security
Manager, but I would need more time to understand the issues that were
described.
Also the blog was written by David Lloyd who has been participating in
these discussions, so he may want to say more about it.
--Sean