Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8062515

Migrate use of sun.security.** to supported API




      All sun.security.** classes are JDK internal APIs that are not supported and should not be used. This issue documents the supported APIs that you should migrate to use. For any sun.security.** classes not listed below, there is no replacement.

      1) sun.security.action.*

      They should be replaced with java.security.PrivilegedAction (@since 1.1) to call System.getProperty or other action instead. Example

         AccessController.doPrivileged((PrivilegedAction<String>) () -> System.getProperty(key));

      2) sun.security.util.SecurityConstants

      The SecurityConstants class defines instance of several permission types. It should be replaced with creating the instance of the public permission type. Example,
             new NetPermission("getCookieHandler");

      java.lang.RuntimePermission, java.net.NetPermission, or many Permission class were added @since 1.1

      3) sun.security.provider.Sun

      One option is calling java.security.Security.getProvider("SUN") that is not the recommended way.

      In general, you should avoid depending on a specific provider as it may not be available on other Java implementations. See Oracle security providers documentation for more rationale. That is,
         getInstance("...", "SunJCE"); // not recommended


         getInstance("..."); // recommended

      4) sun.security.provider.PolicyFile

      It should be replaced to use:
         java.security.Policy.getInstance("JavaPolicy", new java.security.URIParameter(uri));

      This getInstance method was added @since 1.6.

      5) sun.security.krb5.**

      JDK-8043071 defines the supported APIs in JDK 9 to get the context session key to do their own encryption/decryption and also deal with the KRB-CRED token in its own way:

      @see javax.security.auth.kerberos.EncryptionKey and KerberosCredMessage
      @see javax.security.auth.kerberos.KerberosTicket.getSessionKey()

      Also see org.ietf.jgss and com.sun.security.jgss APIs

      6) sun.security.x509.**

      Use javax.security.auth.x500.X500Principal @since 1.4 to replace sun.security.x509.X500Name

      Many of the extensions and fields of an X509 Certificate can be accessed via the standard java.security.cert API. Use java.security.cert API instead.

      7) sun.security.util.HostnameChecker.match checks if the certificate allows use of the given server name

      javax.net.ssl.SSLParameters.setEndpointIdentificationAlgorithm("HTTPS" or "LDAPS") can be used to enabled hostname checking during handshaking, and javax.net.ssl.HttpsURLConnection.setHostnameVerifier() can be customized hostname verifier rules for URL operations.

      See also JDK-7192189 for the new endpoint identification support.


        Issue Links



              mchung Mandy Chung
              mchung Mandy Chung
              0 Vote for this issue
              1 Start watching this issue