On Wed, 11 Mar 2026 21:59:03 GMT, Vishva N <[email protected]> wrote: >> ### Problem >> In a large java project with multiple third party dependencies, there is a >> case where the default **Authenticator** set by the java project owner is >> overridden by the third party dependency jars. >> >> ### Example >> While using **Google Big Query JDBC Jar**, If proxy username property is >> present in the connection url, the **default authenticator is reset** by a >> code piece in the jar without any checks for existing authenticator. >> >> ### Solution >> Since, Authenticator is set on JVM level, the modification should provide >> **access control capability to the java project owner**. >> >> ### Changes >> In java.net.Authenticator class, an AccessChecker class is initialized on >> class loading. By default, **java.net.AuthenticatorModifyAccessChecker** is >> loaded. The Java project owner can extend this class and implement their own >> custom implementation for **canModifyAuthenticator()** method. Java project >> owner should supply the custom class name in >> _"**authenticator.modify.access.checker.class**"_ system property which will >> be initialized on class loading time. >> >> ### Result >> This change will give access modification control for the Java Project >> owner. The project owner can just skip the setDefault() call by return false >> in canModifyAuthenticator() method or can throw error according to their >> need. > >> @vishva238 I think it would be better to start a thread on net-dev to >> discuss the problem/issue you are running into. It's way too. Are you >> migrating from an environment that used a security manager? Have you looked >> at the example agent in JEP 486 to get ideas for how to instrument the use >> sites to prevent the execution of methods that don't want to execute. > > @AlanBateman I don't either want to throw an error, simple skip the > authenticator setDefault call. Not related to security manager. With this > fix, I can allow some Authenticator class to be set default and disallow > other Authenticators. > > This is like a case where we connect around 15 flavours of databases and more > than 20 web connectors in single java product.
> @vishva238 Please take the guidance and start a discussion on net-dev. @AlanBateman Yes yes I am initiating. ------------- PR Comment: https://git.openjdk.org/jdk/pull/30193#issuecomment-4045594752
