Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8193916

Remove deprecated javax.security.auth.Policy API

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • 11
    • security-libs
    • None
    • source, binary, behavioral
    • low
    • Hide
      GlassFish is still using it but not depends on it. It only uses this type if the J2EE 1.3 property javax.security.jacc.auth.policy.provider is set. The code says it should be checked as a last resort and it should not be set in J2EE 1.4. See https://github.com/javaee/glassfish/blob/168ce449c4ea0826842ab4129e83c4a700750970/nucleus/security/core/src/main/java/com/sun/enterprise/security/PolicyLoader.java.

      I filed an issue at https://github.com/javaee/glassfish/issues/22392. The references to this class should be either removed or modified to use reflection.
      Show
      GlassFish is still using it but not depends on it. It only uses this type if the J2EE 1.3 property javax.security.jacc.auth.policy.provider is set. The code says it should be checked as a last resort and it should not be set in J2EE 1.4. See https://github.com/javaee/glassfish/blob/168ce449c4ea0826842ab4129e83c4a700750970/nucleus/security/core/src/main/java/com/sun/enterprise/security/PolicyLoader.java . I filed an issue at https://github.com/javaee/glassfish/issues/22392 . The references to this class should be either removed or modified to use reflection.
    • Java API, System or security property
    • SE

      Summary

      Remove the javax.security.auth.Policy API.

      Problem

      The API has been deprecated since 1.4 and marked forRemoval=true in JDK 10.

      Solution

      Remove the API and related permission target names and system properties.

      Specification

      Remove the src/java.base/share/classes/javax/security/auth/Policy.java file.

      Remove some AuthPermission target names:

      diff --git a/src/java.base/share/classes/javax/security/auth/AuthPermission.java b/src/java.base/share/classes/javax/security/auth/AuthPermission.java
--- a/src/java.base/share/classes/javax/security/auth/AuthPermission.java
+++ b/src/java.base/share/classes/javax/security/auth/AuthPermission.java
@@ -32,7 +32,7 @@
  *
  * <p> The target name is the name of a security configuration parameter
  * (see below).  Currently the {@code AuthPermission} object is used to
- * guard access to the {@link Policy}, {@link Subject},
+ * guard access to the {@link Subject},
  * {@link javax.security.auth.login.LoginContext}, and
  * {@link javax.security.auth.login.Configuration} objects.
  *
@@ -121,21 +121,6 @@
  *                              {@code LoginContext}.
  * </pre>
  *
- * <p> {@code javax.security.auth.Policy} has been
- * deprecated in favor of {@code java.security.Policy}.
- * Therefore, the following target names have also been deprecated:
- *
- * <pre>
- *      getPolicy -             allow the caller to retrieve the system-wide
- *                              Subject-based access control policy.
- *
- *      setPolicy -             allow the caller to set the system-wide
- *                              Subject-based access control policy.
- *
- *      refreshPolicy -         allow the caller to refresh the system-wide
- *                              Subject-based access control policy.
- * </pre>
- *
  * @implNote
  * Implementations may define additional target names, but should use naming
  * conventions such as reverse domain name notation to avoid name clashes.

      Remove some system properties:

      • auth.policy.provider
      • cache.auth.policy
      • java.security.auth.policy
      • auth.policy.url.<n>

            weijun Weijun Wang
            mullan Sean Mullan
            Alan Bateman, Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: