Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JDK17: java.security.AccessController is deprecated #119

Open
rprpx opened this issue Jun 26, 2023 · 2 comments
Open

JDK17: java.security.AccessController is deprecated #119

rprpx opened this issue Jun 26, 2023 · 2 comments
Labels
priority: low status: needs information type: discussion
Milestone
1.7.2

Comments

@rprpx
Copy link

rprpx commented Jun 26, 2023

Is your feature request related to a problem? Please describe.
com.password4j.Utils uses java.security.AccessController (at line 508)

With JDK17, java.security.AccessController is deprecated and marked for removal.
https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/security/AccessController.html

.... this is in conjunction with the deprecation of SecurityManager
https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/SecurityManager.html

.... additional documentation on the matter is found here:
https://openjdk.org/jeps/411

Describe the solution you'd like
A code update that does not depend on a deprecated class.
Naturally, for now, at least while using JDK17, things still work, but wanted to make sure you knew about this.

Describe alternatives you've considered
Apologies---I'm not currently aware of a course of action to recommend.

Thank you.
@firaja
Copy link
Member

firaja commented Jun 27, 2023

Hello @rprpx ,

yes I'm aware of it.
That part is identical to the implementation of SecureRandom#getInstanceStrong. If you get a look to it even in the last JDK (20) the developers just put a @SuppressWarnings("removal").

We don't have any information on how and when this should be migrated in future versions.

I'll keep this issue open as a reminder.

The only option I see is to do something like that

String property;
try
{
      property = Security.getProperty("securerandom.strongAlgorithms");
}
catch (SecurityException se)
{
      property = PropertyReader.readString("securerandom.strongAlgorithms", "", null);
}

and requires a new property to be defined in psw4j.properties with the same value in java.security

@firaja firaja added this to the 1.7.2 milestone Jul 31, 2023
firaja added a commit that referenced this issue Aug 20, 2023
@firaja
#119: temporary solution until java dev team will find a final solution
7cf9d4c
@firaja
Copy link
Member

firaja commented Aug 21, 2023

Hi @rprpx a fix for this issue is published under 1.7.2.
It's just a @SuppressWarnings("removal"). I will leave this issue opened until we get some official instructions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: low status: needs information type: discussion
Projects
Core development
Status: Blocked
Milestone
1.7.2
Development

No branches or pull requests
2 participants
@firaja @rprpx