Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JDK17: java.security.AccessController is deprecated #119

Open
rprpx opened this issue Jun 26, 2023 · 2 comments
Open

JDK17: java.security.AccessController is deprecated #119

rprpx opened this issue Jun 26, 2023 · 2 comments

Comments

@rprpx
Copy link

rprpx commented Jun 26, 2023

Is your feature request related to a problem? Please describe.
com.password4j.Utils uses java.security.AccessController (at line 508)

With JDK17, java.security.AccessController is deprecated and marked for removal.
https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/security/AccessController.html

.... this is in conjunction with the deprecation of SecurityManager
https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/SecurityManager.html

.... additional documentation on the matter is found here:
https://openjdk.org/jeps/411

Describe the solution you'd like
A code update that does not depend on a deprecated class.
Naturally, for now, at least while using JDK17, things still work, but wanted to make sure you knew about this.

Describe alternatives you've considered
Apologies---I'm not currently aware of a course of action to recommend.

Thank you.

@firaja
Copy link
Member

firaja commented Jun 27, 2023

Hello @rprpx ,

yes I'm aware of it.
That part is identical to the implementation of SecureRandom#getInstanceStrong. If you get a look to it even in the last JDK (20) the developers just put a @SuppressWarnings("removal").

We don't have any information on how and when this should be migrated in future versions.

I'll keep this issue open as a reminder.

The only option I see is to do something like that

String property;
try
{
      property = Security.getProperty("securerandom.strongAlgorithms");
}
catch (SecurityException se)
{
      property = PropertyReader.readString("securerandom.strongAlgorithms", "", null);
}

and requires a new property to be defined in psw4j.properties with the same value in java.security

@firaja
Copy link
Member

firaja commented Aug 21, 2023

Hi @rprpx a fix for this issue is published under 1.7.2.
It's just a @SuppressWarnings("removal"). I will leave this issue opened until we get some official instructions.

@firaja firaja moved this from In Progress to Blocked in Core development Sep 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Blocked
Development

No branches or pull requests

2 participants