Thank you for clarifying.
OpenJDK advised us it was possible to implement a new Authorization
layer above the JVM, but without any suitable hooks from within the JVM,
it's not feasible.
We will support Java until the last version we can, it's not possible
for us to re-secure our software on the Java platform going forward.
--
Regards,
Peter
On 18/06/2023 10:15 pm, Alan Bateman wrote:
On 18/06/2023 12:52, Peter Firmstone wrote:
Thanks Alan,
Personally, I would hope that nothing happens until after Java 21,
time is precious, we'll need all the time we can get.
I was hoping, that all privileged actions might be retained
indefinitely, so that we may instrument them.
Once the SM operating mode goes away then I would expect most usages
of privileged actions in the JDK can be removed. Leaving them for an
"authorization layer" to instrument would be misleading. Existing
usages will quickly bit rot. It would also be a tax on all future
features and all ongoing maintenance.
-Alan.
