Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8193916

Remove deprecated javax.security.auth.Policy API

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 11
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      source, binary, behavioral
    • Compatibility Risk:
      low
    • Compatibility Risk Description:
      Hide
      GlassFish is still using it but not depends on it. It only uses this type if the J2EE 1.3 property javax.security.jacc.auth.policy.provider is set. The code says it should be checked as a last resort and it should not be set in J2EE 1.4. See https://github.com/javaee/glassfish/blob/168ce449c4ea0826842ab4129e83c4a700750970/nucleus/security/core/src/main/java/com/sun/enterprise/security/PolicyLoader.java.

      I filed an issue at https://github.com/javaee/glassfish/issues/22392. The references to this class should be either removed or modified to use reflection.
      Show
      GlassFish is still using it but not depends on it. It only uses this type if the J2EE 1.3 property javax.security.jacc.auth.policy.provider is set. The code says it should be checked as a last resort and it should not be set in J2EE 1.4. See https://github.com/javaee/glassfish/blob/168ce449c4ea0826842ab4129e83c4a700750970/nucleus/security/core/src/main/java/com/sun/enterprise/security/PolicyLoader.java . I filed an issue at https://github.com/javaee/glassfish/issues/22392 . The references to this class should be either removed or modified to use reflection.
    • Interface Kind:
      Java API, System or security property
    • Scope:
      SE

      Description

      Summary

      Remove the javax.security.auth.Policy API.

      Problem

      The API has been deprecated since 1.4 and marked forRemoval=true in JDK 10.

      Solution

      Remove the API and related permission target names and system properties.

      Specification

      Remove the src/java.base/share/classes/javax/security/auth/Policy.java file.

      Remove some AuthPermission target names:

      diff --git a/src/java.base/share/classes/javax/security/auth/AuthPermission.java b/src/java.base/share/classes/javax/security/auth/AuthPermission.java
      --- a/src/java.base/share/classes/javax/security/auth/AuthPermission.java
      +++ b/src/java.base/share/classes/javax/security/auth/AuthPermission.java
      @@ -32,7 +32,7 @@
        *
        * <p> The target name is the name of a security configuration parameter
        * (see below).  Currently the {@code AuthPermission} object is used to
      - * guard access to the {@link Policy}, {@link Subject},
      + * guard access to the {@link Subject},
        * {@link javax.security.auth.login.LoginContext}, and
        * {@link javax.security.auth.login.Configuration} objects.
        *
      @@ -121,21 +121,6 @@
        *                              {@code LoginContext}.
        * </pre>
        *
      - * <p> {@code javax.security.auth.Policy} has been
      - * deprecated in favor of {@code java.security.Policy}.
      - * Therefore, the following target names have also been deprecated:
      - *
      - * <pre>
      - *      getPolicy -             allow the caller to retrieve the system-wide
      - *                              Subject-based access control policy.
      - *
      - *      setPolicy -             allow the caller to set the system-wide
      - *                              Subject-based access control policy.
      - *
      - *      refreshPolicy -         allow the caller to refresh the system-wide
      - *                              Subject-based access control policy.
      - * </pre>
      - *
        * @implNote
        * Implementations may define additional target names, but should use naming
        * conventions such as reverse domain name notation to avoid name clashes.

      Remove some system properties:

      • auth.policy.provider
      • cache.auth.policy
      • java.security.auth.policy
      • auth.policy.url.<n>

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                weijun Weijun Wang
                Reporter:
                mullan Sean Mullan
                Reviewed By:
                Alan Bateman, Sean Mullan
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: