JDK 20 Rampdown Phase 2 & JMX Heads-up

[David Delabassee <da...@oracle.com>]

Hi,

First off, on behalf of Oracle’s Java Team, I’d like to wish you a happy 
and prosperous new year!

In 2023, two Java releases will be made available: JDK 20 (March) &  JDK 
21 (September).

JDK 20 [1] has entered Rampdown Phase Two (RDP2) [2], its initial 
Release Candidate is planned for February 9. Given that and to be better 
prepared for the future, it makes sense to begin testing your project(s) 
using JDK 21 early-access (EA) builds. Your feedback allows us to 
evaluate and address issues you find while testing EA builds.

[1] https://jdk.java.net/20/
[2] https://mail.openjdk.org/pipermail/jdk-dev/2023-January/007308.html
[3] https://jdk.java.net/21/


## Heads-up - JDK 21: JMX Subject Delegation & Fine-grained Security 
Deprecation

JMX has some features that rely on Security Manager APIs which are 
deprecated for removal (see JEP 411 [4]). These features are "Subject 
Delegation" and "Fine-grained Security", which both seem to be generally 
unused, and would require significant investment to implement without 
touching the deprecated APIs. As a consequence, "Subject Delegation" is 
being proposed for deprecation in JDK 21 [5].

Fine-grained Security is also being considered for deprecation at the 
same time. This feature [6] has allowed configuration of a security 
policy to restrict or permit access to specific MBean actions. It is 
expected that this feature is generally unused, possibly because there 
is simply no demand for such detailed control, and that it is too 
complex to create and maintain the policies.

[4] https://openjdk.org/jeps/411
[5] https://bugs.openjdk.org/browse/JDK-8298966
[6] 
https://docs.oracle.com/en/java/javase/19/jmx/fine-grained-security-example.html


## JDK 20 Early-Access builds

The latest early-access builds of JDK 20 (builds 32) are available [7], 
and are provided under the GNU General Public License v2, with the 
Classpath Exception. The Release Notes are available here [8].

[7] https://openjdk.org/projects/jdk/20/
[8] https://jdk.java.net/20/release-notes

### JEPs integrated into JDK 20:

- JEP 429: Scoped Values (Incubator)
- JEP 432: Record Patterns (2nd Preview)
- JEP 433: Pattern Matching for switch (4th Preview)
- JEP 434: Foreign Function & Memory API (2nd Preview)
- JEP 436: Virtual Threads (2nd Preview)
- JEP 437: Structured Concurrency (2nd Incubator)

### Changes in recent JDK 20 builds that may be of interest:

- JDK-8298525: javadoc crashes with "UnsupportedOperationException: Not 
yet implemented" in SeeTaglet.inherit [Reported by Apache Ant]
- JDK-8298893: Rename option UsePolyIntrinsics to UsePoly1305Intrinsics
- JDK-8287411: Enhance DTLS Performance
- JDK-8293554: Enhanced DH Key Exchanges


## JDK 21 Early-Access builds

The latest early-access builds of JDK 21 (builds 6) are available [9], 
and are provided under the GNU General Public License v2, with the 
Classpath Exception. The related EA API Javadoc is also available [10].

[9] https://jdk.java.net/21/
[10] https://download.java.net/java/early_access/jdk21/docs/api/

### Changes in recent JDK 21 builds that may be of interest:

- JDK-8297295: Remove ThreadGroup.allowThreadSuspension
- JDK-8287411: Enhance DTLS performance
- JDK-8233269: Improve handling of JAVA_ARGS
- JDK-8297933: Compiler should only use verified interface types for 
optimization
- JDK-8298381: Improve handling of session tickets for multiple SSLContexts
- JDK-8299501: Usage of constructors of primitive wrapper classes should 
be avoided in java.util API docs
- JDK-8299475: Enhance SocketException by cause where it is missing in 
net and nio area
- JDK-8299544: Improve performance of CRC32C intrinsics (non-AVX-512) 
for small inputs
- JDK-8299576: Reimplement java.io.Bits using VarHandle access
- JDK-8278326: Socket close is not thread safe and other cleanup
- JDK-8299673: Simplify object pinning interactions with string 
deduplication


## JavaFX 20 & 21 Early-Access Builds

These are early-access builds of the JavaFX Runtime, built from 
openjdk/jfx [11]. Those EA builds are intended to allow JavaFX 
application developers to build and test their applications with JavaFX 
20 on JDK 20. The latest EA builds (JavaFX 20 EA b16 2023/1/14) are now 
available [12] and are provided under the GNU General Public License, 
version 2, with the Classpath Exception. Please note that initial JavaFX 
21 early-access builds (JavaFX 21 b1 2023/1/19) are now available [13] 
as well.
Feedback should be reported to the openjfx-dev mailing list [14].

[11] https://github.com/openjdk/jfx
[12] https://jdk.java.net/javafx20/
[13] https://jdk.java.net/javafx21/
[14] http://mail.openjdk.org/mailman/listinfo/openjfx-dev


## Topics of Interest:

- On Markdown in (Java) documentation comments
https://mail.openjdk.org/pipermail/javadoc-dev/2023-January/005563.html

- Lifetimes in the Foreign Function & Memory API
https://cr.openjdk.java.net/~mcimadamore/panama/why_lifetimes.html

- Java's Plans for 2023 - Inside Java Newscast #40
https://inside.java/2023/01/19/newscast-40/

- Informational JEP: Preview Features: A Look Back, and A Look Ahead
https://openjdk.org/jeps/8300604

- Java 20 - An Almost Infinite Memory Segment Allocator
https://minborgsjavapot.blogspot.com/2023/01/java-20-almost-infinite-memory-segment.html

- Podcast: “Helidon Níma & Virtual Threads”
https://inside.java/2023/01/12/podcast-029/

- From ThreadLocal to ScopedValue with Loom - JEP Café #16
https://inside.java/2023/01/10/jepcafe16/

- Java 20 - Colossal Sparse Memory Segments
https://minborgsjavapot.blogspot.com/2023/01/java-20-colossal-sparse-memory-segments.html

- Another Panama Update
https://mail.openjdk.org/pipermail/panama-dev/2022-December/018182.html

- Secure Coding Guidelines for Java SE
https://inside.java/2023/01/04/secure-coding-guideline/

- Java Networking Enhancements since JDK 11
https://inside.java/2022/12/28/jdk-networking-enhancements/

- Podcast: “Java Language - State of the Union”
https://inside.java/2022/12/23/podcast-028/

- Tutorial - Using Pattern Matching
https://dev.java/learn/pattern-matching/

- 24 Java Features You Missed In 2022 - Inside Java Newscast #39
https://inside.java/2022/12/15/newscast-39/


## January 2023 Critical Patch Update Released

As part of the January 2023 CPU, we released JDK 19.0.2, JDK 17.0.6 LTS, 
JDK 11.0.18 LTS and JDK 8u361 as well as OpenJDK 19.0.2.


## Oracle JRE and JDK Cryptographic Roadmap

The crypto roadmap [14] provides the information on Oracle's plans for 
changes to the security algorithms and associated policies/settings in 
the Oracle JRE & JDK.

[14] https://www.java.com/en/jre-jdk-cryptoroadmap.html

~

We look forward to your continued participation in 2023. And as always, 
if you find an issue, please let us know through the usual channels.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: JDK 20 Rampdown Phase 2 & JMX Heads-up

[Rémy Maucherat <re...@apache.org>]

On Wed, Jan 25, 2023 at 12:04 PM Mark Thomas <ma...@apache.org> wrote:
>
> On 25/01/2023 05:21, David Delabassee wrote:
>
> <snip/>
>
> > ## Heads-up - JDK 21: JMX Subject Delegation & Fine-grained Security
> > Deprecation
> >
> > JMX has some features that rely on Security Manager APIs which are
> > deprecated for removal (see JEP 411 [4]). These features are "Subject
> > Delegation" and "Fine-grained Security", which both seem to be generally
> > unused, and would require significant investment to implement without
> > touching the deprecated APIs. As a consequence, "Subject Delegation" is
> > being proposed for deprecation in JDK 21 [5].
> >
> > Fine-grained Security is also being considered for deprecation at the
> > same time. This feature [6] has allowed configuration of a security
> > policy to restrict or permit access to specific MBean actions. It is
> > expected that this feature is generally unused, possibly because there
> > is simply no demand for such detailed control, and that it is too
> > complex to create and maintain the policies.
>
> <snip/>
>
> I never even knew that this was possible. And I thought I had read the
> JMX docs reasonably thoroughly.
>
> I have always viewed the lack of fine-grained security to be a
> significant weakness in the JMX security model. I wish I had known about
> this years ago.
>
> There is a demand for fine-grained security with JMX. We have had users
> express a desire to expose some parts of some JMX MBeans to a sub-set of
> users.
>
> I'm fine with the removal of the SecurityManager. Even if they had been
> aware of the option, requiring the use of a SecurityManager to enable
> fine-grained security with JMX may have prevented many users for
> adopting the approach.
>
> If there is any way the fine-grained security can be retained, I think
> that would be useful. Maybe some sort of authorization SPI where users
> can provide the answer to "Can this user with these roles call this method?"

I didn't know about the feature either. Maybe it wasn't there when we
initially implemented JMX ? I have no idea. And I don't know how to
use it right now obviously ;)
Using fine grained security would be a good idea if it is possible.
Probably something very simple though: stats only and the rest.

Rémy

> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: JDK 20 Rampdown Phase 2 & JMX Heads-up

[Mark Thomas <ma...@apache.org>]

On 25/01/2023 05:21, David Delabassee wrote:

<snip/>

> ## Heads-up - JDK 21: JMX Subject Delegation & Fine-grained Security 
> Deprecation
> 
> JMX has some features that rely on Security Manager APIs which are 
> deprecated for removal (see JEP 411 [4]). These features are "Subject 
> Delegation" and "Fine-grained Security", which both seem to be generally 
> unused, and would require significant investment to implement without 
> touching the deprecated APIs. As a consequence, "Subject Delegation" is 
> being proposed for deprecation in JDK 21 [5].
> 
> Fine-grained Security is also being considered for deprecation at the 
> same time. This feature [6] has allowed configuration of a security 
> policy to restrict or permit access to specific MBean actions. It is 
> expected that this feature is generally unused, possibly because there 
> is simply no demand for such detailed control, and that it is too 
> complex to create and maintain the policies.

<snip/>

I never even knew that this was possible. And I thought I had read the 
JMX docs reasonably thoroughly.

I have always viewed the lack of fine-grained security to be a 
significant weakness in the JMX security model. I wish I had known about 
this years ago.

There is a demand for fine-grained security with JMX. We have had users 
express a desire to expose some parts of some JMX MBeans to a sub-set of 
users.

I'm fine with the removal of the SecurityManager. Even if they had been 
aware of the option, requiring the use of a SecurityManager to enable 
fine-grained security with JMX may have prevented many users for 
adopting the approach.

If there is any way the fine-grained security can be retained, I think 
that would be useful. Maybe some sort of authorization SPI where users 
can provide the answer to "Can this user with these roles call this method?"

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org