Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8297795

Deprecate JMX Management Applets for Removal

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P2 P2
    • 20
    • core-svc
    • None
    • source, behavioral
    • low
    • Hide
      There is no evidence that m-lets were ever widely used: there are no bug reports, and no evidence of discussion in public forums. There is no significant interest in developing modern applications that use m-lets. This deprecation will have no impact on users of other JMX features, the JDK's built-in instrumentation, or any of the observability tools.
      Show
      There is no evidence that m-lets were ever widely used: there are no bug reports, and no evidence of discussion in public forums. There is no significant interest in developing modern applications that use m-lets. This deprecation will have no impact on users of other JMX features, the JDK's built-in instrumentation, or any of the observability tools.
    • Java API
    • SE

      Summary

      Deprecate the Java Management Extension (JMX) Management Applet (m-let) feature for removal in a future release.

      Problem

      The m-let feature can load remote code. For this reason, some dynamic loading features are restricted. Specifically, the addURL and getMBeansFromURL methods cannot be invoked without a Security Manager. The Security Manager is a security feature that set out in early JDK releases to protect against the threat of malicious code, but is now a legacy feature, and was deprecated for removal in Java 17 by JEP 411. The dynamic loading features of m-lets will cease to be usable once the Security Manager is further degraded and eventually removed.

      Solution

      We will terminally deprecate the feature.

      Specification

      We will terminally deprecate the following classes, by annotating them with @Deprecated(since="20", forRemoval=true):

      • javax.management.loading.MLet
      • javax.management.loading.MLetContent
      • javax.management.loading.PrivateMLet
      • javax.management.loading.MLetMBean

      The API docs will include the deprecation text:

      This API is part of Management Applets (m-lets), which is a legacy feature that allows loading of remote MBeans. This feature is not usable without a Security Manager, which is deprecated and subject to removal in a future release. Consequently, this API is also deprecated and subject to removal. There is no replacement.

            kevinw Kevin Walls
            kevinw Kevin Walls
            Roger Riggs, Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: