Am 16.01.2026 um 11:21 schrieb Korbinian Bachl:
Hi everyone,
I am currently looking into building/running our application with the upcoming
Java 24 (and later Java 25), and I encountered a compatibility issue regarding
the JCR API (javax.jcr).
The Issue: With JEP 486 (Permanently Disable the Security Manager), Java 24 has
removed several security-related classes, including
java.security.AccessControlException.
...
Thanks for checking! Do you have an Apache JIRA account so we can move
this into a ticket?
However, the javax.jcr.Session interface declares this exception in its method
signatures, for example:
Java
public void checkPermission(String absPath, String actions) throws
AccessControlException, RepositoryException;
Since AccessControlException no longer exists in the JDK starting with version
24, code compiling against the standard javax.jcr dependency fails.
My Question: Are there any plans to release an updated version of the JCR API
(perhaps a Jakarta or revised javax artifact) that removes this exception from
the method signatures or replaces it with java.lang.SecurityException?
...
Both options are bad.
1. We can't touch the JCR API, as javax.jcr is owned by Oracle. Only a
new Expert Group can revise it.
2. javax.jcr is not part of the APIs that *can* move to Jakarta (as not
in EE)
In theory we could (?) fork javax.jcr; but that would imply a new
package name as well. This is the somewhat "nuclear" option as any code
that uses javax.jcr would need to be updated.
How should projects currently relying on Jackrabbit and the standard JCR API
proceed if they want to support Java 24+?
No idea. For now we need to document this issue.
Thanks for your help!
Best,
Korbinian
Best regards, Julian
