JDK-8147400 : Deprecate policytool
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 9
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2016-01-14
  • Updated: 2017-05-17
  • Resolved: 2016-01-27
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
9 b104Fixed
Related Reports
Relates :  
Relates :  
Relates :  
Sub Tasks
JDK-8148207 :  
JDK-8173016 :  
Deprecate the policytool command line tool, and target its removal for JDK 10.

The policytool is a tool with a GUI for editing policy files. However, it is an old tool with a clunky legacy UI and is not widely used - a survey on security-dev on its usage only revealed one user. Most users edit policy files by hand. Hence, we don't think it provides much value and would like to remove it so that we no longer have to support it.  

A CCC should be filed and a correspond docs bug should be filed to update the man pages for policytool to contain a prominent note such as the following:

Note: The policytool tool has been deprecated since JDK 9 and is planned to be removed in the next major JDK release. 

Optionally, we should consider printing a similar warning whenever policytool is run.
Adding @Deprecated to the non-public classes seems very strange. Okay on the PolicyTool class but it won't be in an exported package so nothing can compile against it to see the warning. I would assume that deprecating policytool is mostly just a docs/release notes issue.

The only user is icedtea-web's PolicyEditor (http://icedtea.classpath.org/wiki/IcedTea-Web-PolicyEditor) 113 * This class provides a policy editing tool as a simpler alternate to 114 * the JDK PolicyTool. It is much simpler than PolicyTool - only 115 * a handful of pre-defined permissions can be enabled or disabled, 116 * on a per-codebase basis. There are no considerations for Principals, 117 * who signed the code, or custom permissions. It can launch policytool if a user wants to edit the file directly. [1] http://mail.openjdk.java.net/pipermail/security-dev/2014-October/011354.html