Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8298966

Deprecate JMX Subject Delegation and the method JMXConnector.getMBeanServerConnection(Subject) for removal.



    • Enhancement
    • Resolution: Fixed
    • P4
    • 21
    • None
    • core-svc


      Deprecate the Java Management Extension (JMX) Subject Delegation feature for removal in a future release. The feature is enabled by the method javax/management/remote/JMXConnector.getMBeanServerConnection(javax.security.auth.Subject) which will be deprecated for removal.

      A connection to a JMXConnector has at most one authenticated Subject. Subject delegation enables a client to perform operations as or on behalf of multiple identities, by passing a per-request Subject. Permission is required to do this, a javax.management.remote.SubjectDelegationPermission for the subject name to which permission will delegated.

      There is no evidence this feature is used.

      Subject Delegation requires a policy file to grant the SubjectDelegationPermission, and the implementation relies on deprecated methods such as java.security.AccessController.checkPermission and java.security.AccessControlContext.checkPermission. These are deprecated for removal as part of JEP 411: the Security Manager and related classes are considered legacy and deprecated for removal.

      Affected deprecated methods will cease to be usable once the Security Manager is further degraded and eventually removed.

      Given no known usage, there is no replacement feature for JMX Subject Delegation.

      The deprecation of this feature will have no impact on other JMX features, the JMX agent used for local and remote monitoring, the built-in instrumentation of the Java virtual machine, or tooling that uses JMX.


        Issue Links



              kevinw Kevin Walls
              kevinw Kevin Walls
              0 Vote for this issue
              7 Start watching this issue