You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Emmanuel Bourg <eb...@apache.org> on 2022/09/28 15:05:01 UTC
Security manager support
Hi all,
The security manager has been deprecated for removal in Java 17 [1], and
at some point Tomcat will have to stop supporting it.
Do we want to wait until it's no longer available in the JDK to remove
it from Tomcat, or should we remove it earlier, maybe in Tomcat 10.1 or 11?
I tend to think there are better solutions at the OS level to isolate a
Tomcat instance nowadays, and I lean toward dropping it before its
removal from the JDK.
What do you think?
Emmanuel Bourg
[1] https://openjdk.org/jeps/411
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Security manager support
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Hi,
If it helps, commons weaver (
https://commons.apache.org/proper/commons-weaver/commons-weaver-parent/commons-weaver-modules-parent/commons-weaver-privilizer-parent/index.html)
can help for the backport part (enable or not the run in build.xml).
Romain
Le dim. 2 oct. 2022 à 06:42, Christopher Schultz <
chris@christopherschultz.net> a écrit :
> Emmanuel,
>
> On 9/28/22 11:05, Emmanuel Bourg wrote:
> > The security manager has been deprecated for removal in Java 17 [1], and
> > at some point Tomcat will have to stop supporting it.
> >
> > Do we want to wait until it's no longer available in the JDK to remove
> > it from Tomcat, or should we remove it earlier, maybe in Tomcat 10.1 or
> 11?
> >
> > I tend to think there are better solutions at the OS level to isolate a
> > Tomcat instance nowadays, and I lean toward dropping it before its
> > removal from the JDK.
> >
> > What do you think?
>
> My only concern is that it may cause some headaches for anything we want
> to back-port.
>
> Mark has a separate thread about Loom and there will obviously be some
> significant changes and incompatibilities introduced by that as well.
> Doing them together makes sense to me.
>
> But the SM code permeates all of Tomcat where the Loom stuff is likely
> to be much more isolated. I think it will have farther-reaching impacts.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: Security manager support
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Emmanuel,
On 9/28/22 11:05, Emmanuel Bourg wrote:
> The security manager has been deprecated for removal in Java 17 [1], and
> at some point Tomcat will have to stop supporting it.
>
> Do we want to wait until it's no longer available in the JDK to remove
> it from Tomcat, or should we remove it earlier, maybe in Tomcat 10.1 or 11?
>
> I tend to think there are better solutions at the OS level to isolate a
> Tomcat instance nowadays, and I lean toward dropping it before its
> removal from the JDK.
>
> What do you think?
My only concern is that it may cause some headaches for anything we want
to back-port.
Mark has a separate thread about Loom and there will obviously be some
significant changes and incompatibilities introduced by that as well.
Doing them together makes sense to me.
But the SM code permeates all of Tomcat where the Loom stuff is likely
to be much more isolated. I think it will have farther-reaching impacts.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Security manager support
Posted by Han Li <li...@apache.org>.
> 2022年9月29日 00:16,Rémy Maucherat <re...@apache.org> 写道:
>
> On Wed, Sep 28, 2022 at 5:41 PM Mark Thomas <ma...@apache.org> wrote:
>>
>> On 28/09/2022 16:05, Emmanuel Bourg wrote:
>>> Hi all,
>>>
>>> The security manager has been deprecated for removal in Java 17 [1], and
>>> at some point Tomcat will have to stop supporting it.
>>>
>>> Do we want to wait until it's no longer available in the JDK to remove
>>> it from Tomcat, or should we remove it earlier, maybe in Tomcat 10.1 or 11?
>>>
>>> I tend to think there are better solutions at the OS level to isolate a
>>> Tomcat instance nowadays, and I lean toward dropping it before its
>>> removal from the JDK.
>>>
>>> What do you think?
>>
>> I was thinking of proposing its removal for Tomcat 11. I think 10.1 is a
>> little early.
>
> +1 if we want to attempt it 11 would be a plan. 12 would be too far
> away (it's frustrating !). -1 for 10.1, it's released now.
+1
: )
Han
>
> Rémy
>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Security manager support
Posted by Rémy Maucherat <re...@apache.org>.
On Wed, Sep 28, 2022 at 5:41 PM Mark Thomas <ma...@apache.org> wrote:
>
> On 28/09/2022 16:05, Emmanuel Bourg wrote:
> > Hi all,
> >
> > The security manager has been deprecated for removal in Java 17 [1], and
> > at some point Tomcat will have to stop supporting it.
> >
> > Do we want to wait until it's no longer available in the JDK to remove
> > it from Tomcat, or should we remove it earlier, maybe in Tomcat 10.1 or 11?
> >
> > I tend to think there are better solutions at the OS level to isolate a
> > Tomcat instance nowadays, and I lean toward dropping it before its
> > removal from the JDK.
> >
> > What do you think?
>
> I was thinking of proposing its removal for Tomcat 11. I think 10.1 is a
> little early.
+1 if we want to attempt it 11 would be a plan. 12 would be too far
away (it's frustrating !). -1 for 10.1, it's released now.
Rémy
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Security manager support
Posted by Mark Thomas <ma...@apache.org>.
On 28/09/2022 16:05, Emmanuel Bourg wrote:
> Hi all,
>
> The security manager has been deprecated for removal in Java 17 [1], and
> at some point Tomcat will have to stop supporting it.
>
> Do we want to wait until it's no longer available in the JDK to remove
> it from Tomcat, or should we remove it earlier, maybe in Tomcat 10.1 or 11?
>
> I tend to think there are better solutions at the OS level to isolate a
> Tomcat instance nowadays, and I lean toward dropping it before its
> removal from the JDK.
>
> What do you think?
I was thinking of proposing its removal for Tomcat 11. I think 10.1 is a
little early.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org