Skip to content

Investigate Java 18 (and 9) security implications #134

New issue
New issue
Open
Open
Investigate Java 18 (and 9) security implications#134
Assignees
tzaeschke
@tzaeschke

Description

@tzaeschke
tzaeschke
opened on Mar 31, 2022

Java 18 deprecates the SecurityManager. This has several implications. Obvious ones to check:

  • Does setAccessible() become cheap enough that we do not need to cache it?
  • Do we use the SecurityManager to access class loaders or resources?
  • Doe we use SecurityManager for RMI?
  • Update to JDO 3.x with removed SecurityManager?
  • (Java 9) Investigate implications of modules and Reflection Permissions

References:
https://openjdk.java.net/jeps/411
https://inside.java/2021/04/23/security-and-sandboxing-post-securitymanager/
https://issues.apache.org/jira/browse/DERBY-7138
https://stackoverflow.com/a/53935674/980270 (2nd comment: "There are few other ways to block reflection operations: 1) setAccessible() 2) RetentionPolicy annotated class gets a RuntimeInvisible\ RuntimeVisible class attribute or won't appear in the decompiled class 3) Use module concept in Java 9 and Reflection Permissions")

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions