Summary

Remove the paragraph about thread inheritance from the specification of the Subject::current method.

Problem

According to JEP 425, virtual threads do not work with SecurityManager and do not inherit the AccessControlContext of the parent thread. This is currently documented in the class description of the java.lang.Thread API as follows:

Creating a platform thread captures the caller context to limit the
permissions of the new thread when it executes code that performs a
privileged action. The captured caller context is the new thread's "Inherited 
AccessControlContext". Creating a virtual thread does not capture the caller 
context; virtual threads have no permissions when executing code that 
performs a privileged action.

Currently Subject.current() is identical to Subject.getSubject(AccessController.getContext()). This means the current subject is not always inherited when a new thread is created.

Solution

See spec below.

Remove the requirement so that we can reconsider thread inheritance of the current subject when the SecurityManager and AccessControlContext APIs are removed or become less functional in a future release and Subject::current is implemented with a different mechanism other than AccessControlContext.

No change is made to either Subject::getSubject or AccessController::getContext. These are methods that are deprecated for removal. Applications depending on Subject::getSubject and Subject::doAs will eventually need to transition to Subject::current and Subject::callAs before they are removed or become less functional.

No code change is needed for this CSR.

Specification

For javax.security.auth.Subject:

     /**
      * Returns the current subject.
      * ....
-     * When a new thread is created, its current subject is the same as
-     * the one of its parent thread, and will not change even if
-     * its parent thread's current subject is changed to another value.
      * ....
      */
     public static Subject current()