Resending this message from the account associated with my security-dev
subscription, in the hope that this will bypass moderation:
Rory O'Donnell recommended that I bring this issue to the security
developers' mailing list. I work on Apache Derby. Derby is one of the
applications which receive advance notice of new Open JDK distributions.
We then build our application with the new JDK's javac and javadoc tools
and we run our full test suite against the new JVM. As a canary in the
mineshaft, we noticed the following significant disruption.
When I tried to build Derby with the Rampdown Phase One build of open
JDK 17 (17-ea+26-2439), I saw many warnings related to the deprecation
of Security Manager classes and methods, undoubtedly the consequence of
JEP 411 (https://openjdk.java.net/jeps/411). Derby, like Tomcat,
embraced the Security Manager early on. Permissions checks were
rototilled across the whole code base and our distributions ship with
several template policy files, which we encourage users to customize for
their environments. The "Configuring Java Security" section of our
Security Guide explains how to do this
(https://db.apache.org/derby/docs/10.15/security/index.html).
My build only reported the first 100 warnings. It is likely that there
are many more.
Having read the summary of JEP 411, I understand the motivation for this
change. However, I don't understand how applications like Tomcat and
Derby are supposed to respond to the new blizzard of deprecation
warnings. For instance, is there a replacement for the deprecated
AccessController.doPrivileged() method? Or are we supposed to simply
disable this deprecation check? Is there some security expert whom I
should contact about this change and how to mitigate its effects?
Thanks,
-Rick
- blizzard of deprecation warnings related to JEP 411 Rick Hillegas
-
