Details
-
Bug
-
Resolution: Not an Issue
-
P4
-
None
-
None
Description
All sun.security.** classes are JDK internal APIs that are not supported and should not be used. This issue documents the supported APIs that you should migrate to use. For any sun.security.** classes not listed below, there is no replacement.
1) sun.security.action.*
They should be replaced with java.security.PrivilegedAction (@since 1.1) to call System.getProperty or other action instead. Example
AccessController.doPrivileged((PrivilegedAction<String>) () -> System.getProperty(key));
2) sun.security.util.SecurityConstants
The SecurityConstants class defines instance of several permission types. It should be replaced with creating the instance of the public permission type. Example,
new NetPermission("getCookieHandler");
java.lang.RuntimePermission, java.net.NetPermission, or many Permission class were added @since 1.1
3) sun.security.provider.Sun
One option is calling java.security.Security.getProvider("SUN") that is not the recommended way.
In general, you should avoid depending on a specific provider as it may not be available on other Java implementations. See Oracle security providers documentation for more rationale. That is,
getInstance("...", "SunJCE"); // not recommended
versus
getInstance("..."); // recommended
4) sun.security.provider.PolicyFile
It should be replaced to use:
java.security.Policy.getInstance("JavaPolicy", new java.security.URIParameter(uri));
This getInstance method was added @since 1.6.
5) sun.security.krb5.**
JDK-8043071 defines the supported APIs in JDK 9 to get the context session key to do their own encryption/decryption and also deal with the KRB-CRED token in its own way:
@see javax.security.auth.kerberos.EncryptionKey and KerberosCredMessage
@see javax.security.auth.kerberos.KerberosTicket.getSessionKey()
Also see org.ietf.jgss and com.sun.security.jgss APIs
6) sun.security.x509.**
Use javax.security.auth.x500.X500Principal @since 1.4 to replace sun.security.x509.X500Name
Many of the extensions and fields of an X509 Certificate can be accessed via the standard java.security.cert API. Use java.security.cert API instead.
7) sun.security.util.HostnameChecker.match checks if the certificate allows use of the given server name
javax.net.ssl.SSLParameters.setEndpointIdentificationAlgorithm("HTTPS" or "LDAPS") can be used to enabled hostname checking during handshaking, and javax.net.ssl.HttpsURLConnection.setHostnameVerifier() can be customized hostname verifier rules for URL operations.
See alsoJDK-7192189 for the new endpoint identification support.
1) sun.security.action.*
They should be replaced with java.security.PrivilegedAction (@since 1.1) to call System.getProperty or other action instead. Example
AccessController.doPrivileged((PrivilegedAction<String>) () -> System.getProperty(key));
2) sun.security.util.SecurityConstants
The SecurityConstants class defines instance of several permission types. It should be replaced with creating the instance of the public permission type. Example,
new NetPermission("getCookieHandler");
java.lang.RuntimePermission, java.net.NetPermission, or many Permission class were added @since 1.1
3) sun.security.provider.Sun
One option is calling java.security.Security.getProvider("SUN") that is not the recommended way.
In general, you should avoid depending on a specific provider as it may not be available on other Java implementations. See Oracle security providers documentation for more rationale. That is,
getInstance("...", "SunJCE"); // not recommended
versus
getInstance("..."); // recommended
4) sun.security.provider.PolicyFile
It should be replaced to use:
java.security.Policy.getInstance("JavaPolicy", new java.security.URIParameter(uri));
This getInstance method was added @since 1.6.
5) sun.security.krb5.**
@see javax.security.auth.kerberos.EncryptionKey and KerberosCredMessage
@see javax.security.auth.kerberos.KerberosTicket.getSessionKey()
Also see org.ietf.jgss and com.sun.security.jgss APIs
6) sun.security.x509.**
Use javax.security.auth.x500.X500Principal @since 1.4 to replace sun.security.x509.X500Name
Many of the extensions and fields of an X509 Certificate can be accessed via the standard java.security.cert API. Use java.security.cert API instead.
7) sun.security.util.HostnameChecker.match checks if the certificate allows use of the given server name
javax.net.ssl.SSLParameters.setEndpointIdentificationAlgorithm("HTTPS" or "LDAPS") can be used to enabled hostname checking during handshaking, and javax.net.ssl.HttpsURLConnection.setHostnameVerifier() can be customized hostname verifier rules for URL operations.
See also
Attachments
Issue Links
- relates to
-
JDK-8058778 New APIs for creating certificates and certificate requests
-
- Closed
-
-
JDK-7192189 Support endpoint identification algorithm in RFC 6125
-
- Resolved
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-