[
https://issues.apache.org/jira/browse/QPID-8731?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tomas Vavricka updated QPID-8731:
---------------------------------
Description:
The Security Manager was deprecated in Java 17 with [JEP
411|https://openjdk.org/jeps/411], and fully removed in Java 24 with [JEP
486|https://openjdk.org/jeps/486]. Broker-J relies on security manager-related
APIs in a number of places, mostly to track the current subject. Refactoring is
needed to enable the broker to run in a Java 24+ environment.
*Implementation*
Java classes AccessController / AccessControlContext / PriviligedAction are
deprecated for removal. Subject retrieval in broker code should be replaced
with Subject.current(). Calls like Subject.doAs() /
AccessController.doPriviliged() should be replaced with Subject.callAs() for
Java 24+.
ThreadFactories and executors should be checked to clear the subject from the
calling thread and / or replace it by the caller Subject.
Explicit unit tests should be added to check the subject handing between
threads.
Guard system tests should be added to check for possible role elevation due to
the subject leak.
Java 17 compatibility is achieved by using multi-release-jar approach.
was:The Security Manager was deprecated in Java 17 with [JEP
411|https://openjdk.org/jeps/411], and fully removed in Java 24 with [JEP
486|https://openjdk.org/jeps/486]. Broker-J relies on security manager-related
APIs in a number of places, mostly to track the current subject. Refactoring is
needed to enable the broker to run in a Java 24+ environment.
> [Broker-J] Security Manager removal
> -----------------------------------
>
> Key: QPID-8731
> URL: https://issues.apache.org/jira/browse/QPID-8731
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Affects Versions: qpid-java-broker-10.0.1
> Reporter: Daniil Kirilyuk
> Priority: Major
> Fix For: qpid-java-broker-10.0.2
>
>
> The Security Manager was deprecated in Java 17 with [JEP
> 411|https://openjdk.org/jeps/411], and fully removed in Java 24 with [JEP
> 486|https://openjdk.org/jeps/486]. Broker-J relies on security
> manager-related APIs in a number of places, mostly to track the current
> subject. Refactoring is needed to enable the broker to run in a Java 24+
> environment.
> *Implementation*
> Java classes AccessController / AccessControlContext / PriviligedAction are
> deprecated for removal. Subject retrieval in broker code should be replaced
> with Subject.current(). Calls like Subject.doAs() /
> AccessController.doPriviliged() should be replaced with Subject.callAs() for
> Java 24+.
> ThreadFactories and executors should be checked to clear the subject from the
> calling thread and / or replace it by the caller Subject.
> Explicit unit tests should be added to check the subject handing between
> threads.
> Guard system tests should be added to check for possible role elevation due
> to the subject leak.
> Java 17 compatibility is achieved by using multi-release-jar approach.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
