Password4j
JDK17: java.security.AccessController is deprecated
Is your feature request related to a problem? Please describe. com.password4j.Utils uses java.security.AccessController (at line 508)
With JDK17, java.security.AccessController is deprecated and marked for removal. https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/security/AccessController.html
.... this is in conjunction with the deprecation of SecurityManager https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/SecurityManager.html
.... additional documentation on the matter is found here: https://openjdk.org/jeps/411
Describe the solution you'd like A code update that does not depend on a deprecated class. Naturally, for now, at least while using JDK17, things still work, but wanted to make sure you knew about this.
Describe alternatives you've considered Apologies---I'm not currently aware of a course of action to recommend.
Thank you.
Hello @rprpx ,
yes I'm aware of it.
That part is identical to the implementation of SecureRandom#getInstanceStrong. If you get a look to it even in the last JDK (20) the developers just put a @SuppressWarnings("removal").
We don't have any information on how and when this should be migrated in future versions.
I'll keep this issue open as a reminder.
The only option I see is to do something like that
String property;
try
{
property = Security.getProperty("securerandom.strongAlgorithms");
}
catch (SecurityException se)
{
property = PropertyReader.readString("securerandom.strongAlgorithms", "", null);
}
and requires a new property to be defined in psw4j.properties with the same value in java.security
Hi @rprpx a fix for this issue is published under 1.7.2.
It's just a @SuppressWarnings("removal"). I will leave this issue opened until we get some official instructions.