Sean,
Also moving forward we currently preserve AccessControlContext across
threads, and we do this to establish TLS connections for call backs.
Will there be a new way to preserve the calling Subject across threads,
so we can perform callbacks over TLS?
Regards,
--
Regards,
Peter Firmstone
On 4/06/2021 7:39 am, Peter Firmstone wrote:
Hi Sean,
Developers are still going to need single points of control, where we
can attach our agents to Java's API's. We can't be playing a game of
whack a mole trying to lock down the JDK.
It's fair enough that OpenJDK no longer wishes to maintain
SecurityManager, however there are those of us who have to implement
authorization layers and access controls and we don't have the luxury
of choice.
So we've established that we need to use Agents and StackWalker now to
implement our authorization layer.
It will be some years before we are able to keep up to date with Java
releases again, but now we need to focus on how to achieve that.
Regarding your questions, the performance problems, were related to
Java's FilePolicy implementation, I solved those issues by replacing
it, but you're already aware of that, I was highlighting the struggle
that developers have with Java security, but also that JAAS is a
common foundation for user authorisation, so I hope that it will be
improved, rather than removed. I of course also use JAAS to establish
TLS connections.
If there's anything else OpenJDK is thinking about, thinking about
removing, then we need to know, so we don't use them in our new
authorization layer.