Remove references to the Java SecurityManager and associated APIs

[volosied]

Listed under the 4.1 changes, but I don't see any existing issues.

https://jakarta.ee/specifications/faces/4.1/

[volosied]

Security Manger Removed via https://github.com/eclipse-ee4j/mojarra/pull/5373

See

• https://github.com/eclipse-ee4j/mojarra/commit/ce18c7539b05765d71304270d4c2ed1ac9b87fe5#diff-6e59848a7dc34c64f4c25e5afc623099e1262d1161223a33eec9570569242aebL406-L410
• https://github.com/eclipse-ee4j/mojarra/commit/ce18c7539b05765d71304270d4c2ed1ac9b87fe5#diff-c4e3071e604f05d174124e203a03cbab031d50af70cb75547bf9973239360fd0L513
• https://github.com/eclipse-ee4j/mojarra/commit/ce18c7539b05765d71304270d4c2ed1ac9b87fe5#diff-06cdd3a8e3066908b2522a4d3c0c59988342e1d5dcbecac708bee6c461cca5a0L33

[volosied]

@arjantijms @BalusC I don't see any SecurityManger references in 4.1 / 5.0, so safe to close out?

[volosied]

MyFaces still has references. I'll wait to close this out until we remove it there. Is this more for the IMPL or API?

[BalusC]

I don't see any SecurityManger references in 4.1 / 5.0.

All changes in 4.1 are merged into 5.0. So that's indeed expected.

Is this more for the IMPL or API?

Impl, actually. The API has no SecurityManager references. I'm not sure why it was listed in spec page. Oversight I guess.

[volosied]

Thanks for the quick reply.

MyFaces has a reference or two in the API, but the majority are in the Impl.

api/src/main/java/jakarta/faces/FactoryFinder.java
123:            if (System.getSecurityManager() != null)

I'm assuming this shouldn't be in the changelog then? MyFaces should be updated to remove it everywhere nonetheless.

[pnicolucci]

1) We don't currently have anything in the ChangeLog: https://github.com/jakartaee/faces/blob/4.1/spec/src/main/asciidoc/ChangeLog.adoc 2) The Release Plan: https://projects.eclipse.org/projects/ee4j.faces/releases/4.1/plan does not mention anything about the SecurityManager. 3) However, https://jakarta.ee/specifications/faces/4.1/ does mention removal of the SecurityManager

We need to determine if we want to declare that Faces 4.1 should remove references to the SecurityManager. As noted previously MyFaces does have references to the SecurityManager in the MyFaces API. If we're all in agreement that removal of the SecurityManager references is ok for Faces 4.1 then I can get a PR up to add it to the ChangeLog and reference this issue and we can close it.

Thoughts @BalusC @arjantijms @tandraschko @volosied ?

[arjantijms]

We need to determine if we want to declare that Faces 4.1 should remove references to the SecurityManager

Absolutely, removing SecurityManager is part of the overal Jakarta EE 11 plan.

[pnicolucci]

I'll open a PR to add this to the changelog

[pnicolucci]

MyFaces issue to implement: https://issues.apache.org/jira/browse/MYFACES-4653

[pnicolucci]

Closing, since this is implemented in both MyFaces and Mojarra, and the Spec Changelog has been updated.