[
https://issues.apache.org/jira/browse/QPID-8731?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tomas Vavricka resolved QPID-8731.
----------------------------------
Resolution: Implemented
> [Broker-J] Security Manager removal
> -----------------------------------
>
> Key: QPID-8731
> URL: https://issues.apache.org/jira/browse/QPID-8731
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Affects Versions: qpid-java-broker-10.0.1
> Reporter: Daniil Kirilyuk
> Priority: Major
> Fix For: qpid-java-broker-10.0.2
>
>
> The Security Manager was deprecated in Java 17 with [JEP
> 411|https://openjdk.org/jeps/411], and fully removed in Java 24 with [JEP
> 486|https://openjdk.org/jeps/486]. Broker-J relies on security
> manager-related APIs in a number of places, mostly to track the current
> subject. Refactoring is needed to enable the broker to run in a Java 24+
> environment.
> *Implementation*
> Java classes AccessController / AccessControlContext / PriviligedAction are
> deprecated for removal. Subject retrieval in broker code should be replaced
> with Subject.current(). Calls like Subject.doAs() /
> AccessController.doPriviliged() should be replaced with Subject.callAs() for
> Java 24+.
> ThreadFactories and executors should be checked to clear the subject from the
> calling thread and / or replace it by the caller Subject.
> Explicit unit tests should be added to check the subject handing between
> threads.
> Guard system tests should be added to check for possible role elevation due
> to the subject leak.
> Java 17 compatibility is achieved by using multi-release-jar approach.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
