Hi Rick,
Excellent feedback , I suggest you send this information to the
security-dev [1] mailing list to demonstrate the impact
it is having on you and others. Make sure to subscribe first.
Rgds,Rory
[1] security-...@openjdk.java.net <mailto:security-...@openjdk.java.net>
On 14/06/2021 16:43, Rick Hillegas wrote:
Hi Rory,
Copying the Tomcat developer community since this issue probably
affects them as well.
When I tried to build Derby with the Rampdown Phase One build of open
JDK 17 (17-ea+26-2439), I saw many warnings related to the deprecation
of Security Manager classes and methods, undoubtedly the consequence
of JEP 411 (https://openjdk.java.net/jeps/411). Derby, like Tomcat,
embraced the Security Manager early on. Permissions checks were
rototilled across the whole code base. Our distributions ship with
several template policy files, which we encourage users to customize
for their environments. The "Configuring Java Security" section of our
Security Guide explains how to do this
(https://urldefense.com/v3/__https://db.apache.org/derby/docs/10.15/security/index.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh9kcdocM$
).
My build only reported the first 100 warnings. It is likely that there
are many more.
Having read the summary of JEP 411, I understand the motivation for
this change. However, I don't understand how applications like Tomcat
and Derby are supposed to respond to the new blizzard of deprecation
warnings. For instance, is there a replacement for the deprecated
AccessController.doPrivileged() method? Or are we supposed to simply
disable this deprecation check? Is there some security expert whom we
should contact about this change and how to mitigate its effects?
Thanks,
-Rick
On 6/14/21 2:18 AM, Rory O'Donnell wrote:
Hi Rick,
*
Per the JDK 17 schedule , we are in Rampdown Phase One [1].*
**Please advise if you find any issues while testing the latest Early
Access builds**.**
* Schedule:
o *2021/06/10 Rampdown Phase One*
o 2021/07/15 Rampdown Phase Two
o 2021/08/05 Initial Release Candidate
o 2021/08/19 Final Release Candidate
o 2021/09/14 General Availability
The overall feature set is frozen. No further JEPs will be targeted
to this release.
**
* Important JEPs have been integrated – Attention Required!
* *JEP 411: **Deprecate the Security Manager for
Removal*<https://openjdk.java.net/jeps/411>
o Deprecate, for removal, most Security Manager related classes
and methods.
o Warning message at startup if the Security Manager is enabled on
the command line.
o Warning message at run time if a Java application or library
installs a Security Manager dynamically.
o Deprecation is in concert with the legacy Applet API (JEP 398).
* *JEP 407: **Remove RMI Activation*<https://openjdk.java.net/jeps/407>
o Removal the Remote Method Invocation (RMI) Activation mechanism,
while preserving the rest of RMI.
o It was deprecated for removal by JEP
385<https://openjdk.java.net/jeps/385>in Java SE 15.
* *JEP 403: **Strongly Encapsulate JDK
Internals*<https://openjdk.java.net/jeps/403>
o Strongly encapsulate all internal elements of the JDK, except
for critical internal APIs such as /sun.misc.Unsafe/.
o It will no longer be possible to relax the strong encapsulation
of internal elements via a single command-line option.
* Other features integrated in JDK 17:
o *JEP 306: **Restore Always-Strict Floating-Point
Semantics*<https://openjdk.java.net/jeps/306>
o JEP 356: Enhanced Pseudo-Random Number
Generators<https://openjdk.java.net/jeps/356>
o JEP 382: New macOS Rendering
Pipeline<https://openjdk.java.net/jeps/382>
o JEP 391: macOS/AArch64 Port<https://openjdk.java.net/jeps/391>
o JEP 398: Deprecate the Applet API for
Removal<https://openjdk.java.net/jeps/398>
o *JEP 406: **Pattern Matching for switch
(Preview)*<https://openjdk.java.net/jeps/406>
o JEP 409: Sealed Classes<https://openjdk.java.net/jeps/409>
o JEP 410: Remove the Experimental AOT and JIT
Compiler<https://openjdk.java.net/jeps/410>
o JEP 412: Foreign Function & Memory API
(Incubator)<https://openjdk.java.net/jeps/412>
o *JEP 414: **Vector API (Second
Incubator)*<https://openjdk.java.net/jeps/414>
o *JEP 415: **Context-Specific Deserialization
Filters*<https://openjdk.java.net/jeps/415>
*OpenJDK 17 Early Access build 26 is available at
**https://urldefense.com/v3/__https://jdk.java.net/17*__;Kg!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhLKySzR0$
<https://urldefense.com/v3/__https://jdk.java.net/17__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhY2EWmz8$
>
* These early-access , open-source builds are provided under the
o GNU General Public License, version 2, with the Classpath
Exception<https://openjdk.java.net/legal/gplv2+ce.html>
* Release Notes are available at
https://urldefense.com/v3/__https://jdk.java.net/17/release-notes__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhyLFhj5g$
<https://urldefense.com/v3/__https://jdk.java.net/17/release-notes__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhyLFhj5g$
>
* Changes in recent builds that maybe of interest:
* *Build 26:*
o JDK-8268241: deprecate JVM TI Heap functions 1.0
o JDK-8266846: Add java.time.InstantSource
o JDK-8248268: Support KWP in addition to KW
o JDK-8204686: Dynamic parallel reference processing support for
Parallel GC
o JDK-8259530: Generated docs contain MIT/GPL-licenced works
without reproducing the licence [*Reported by Apache Maven*]
o JDK-8266766: Arrays of types that cannot be an annotation member
do not yield exceptions [*Reported by ByteBuddy*]
o JDK-8266598: Exception values for
AnnotationTypeMismatchException are not always informative
[*Reported by ByteBuddy*]
* *Build 25*
o JDK-8266653: Change update mode for JDK rpm/deb installers as it
breaks "yum update" for JDK11+
o JDK-8263202: Update Hebrew/Indonesian/Yiddish ISO 639 language
codes to current
o JDK-8229517: Support for optional asynchronous/buffered logging
o JDK-8182043: Access to Windows Large Icons
*OpenJDK 18 Early Access build 1 is now available at
**https://urldefense.com/v3/__https://jdk.java.net/18*__;Kg!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhzhYMGcc$
<https://urldefense.com/v3/__https://jdk.java.net/18__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhWHowDJ4$
>
* These early-access , open-source builds are provided under the
o GNU General Public License, version 2, with the Classpath
Exception <https://openjdk.java.net/legal/gplv2+ce.html>
* Issues addressed in this build - here
<https://urldefense.com/v3/__https://github.com/openjdk/jdk/compare/jdk-18*2B0...jdk-18*2B1__;JSU!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhH5huF_4$
>
*Other Topics which might be of Interest: *
**
* Java Cryptographic Roadmap [2] has been updated.
* Inside Java Newscast #6 [3]
o a closer look at the list of JEPs of JDK 17 as well as the
development process
* Inside Java Newscast #7 [4]
o discusses in greater detail `pattern matching for switch`,
previewed in JDK 17
Rgds,Rory
[1]
https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html
<https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html><https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html><https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html>
[2]
https://urldefense.com/v3/__https://java.com/en/jre-jdk-cryptoroadmap.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhXr9f42k$
<https://urldefense.com/v3/__https://java.com/en/jre-jdk-cryptoroadmap.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhXr9f42k$
>
[3]
https://urldefense.com/v3/__https://inside.java/2021/06/10/insidejava-newscast-006/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh1WZe32A$
<https://urldefense.com/v3/__https://inside.java/2021/06/10/insidejava-newscast-006/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh1WZe32A$
>
[4]
https://urldefense.com/v3/__https://inside.java/2021/06/13/podcast-017/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh15gIS5s$
<https://urldefense.com/v3/__https://inside.java/2021/06/13/podcast-017/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh15gIS5s$
>
--
Rgds, Rory O'Donnell
Quality Engineering Manager
Oracle EMEA, Dublin, Ireland
