JDK-8298966 : Deprecate JMX Subject Delegation and the method JMXConnector.getMBeanServerConnection(Subject) for removal.
  • Type: Enhancement
  • Component: core-svc
  • Sub-Component: javax.management
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2022-12-16
  • Updated: 2024-05-30
  • Resolved: 2023-03-14
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 21
21 b14Fixed
Related Reports
CSR :  
JDK-8298967 - Deprecate JMX Subject Delegation and the method JMXConnector.getMBeanServerConnection(Subject) for removal.
Relates :  
JDK-8326666 - Remove the Java Management Extension (JMX) Subject Delegation feature
Relates :  
JDK-8304327 - JMX Guide: Document the deprecation of Subject Delegation
Sub Tasks
JDK-8304127 :  
Release Note: Deprecate JMX Subject Delegation and the `JMXConnector.getMBeanServerConnection(Subject)` Method for Removal - Resolved
Description
Deprecate the Java Management Extension (JMX) Subject Delegation feature for removal in a future release.  The feature is enabled by the method javax/management/remote/JMXConnector.getMBeanServerConnection(javax.security.auth.Subject) which will be deprecated for removal.

A connection to a JMXConnector has at most one authenticated Subject.  Subject delegation enables a client to perform operations as or on behalf of multiple identities, by passing a per-request Subject.  Permission is required to do this, a javax.management.remote.SubjectDelegationPermission for the subject name to which permission will delegated.

There is no evidence this feature is used. 

Subject Delegation requires a policy file to grant the SubjectDelegationPermission, and the implementation relies on deprecated methods such as java.security.AccessController.checkPermission and java.security.AccessControlContext.checkPermission.  These are deprecated for removal as part of JEP 411: the Security Manager and related classes are considered legacy and deprecated for removal.

Affected deprecated methods will cease to be usable once the Security Manager is further degraded and eventually removed.

Given no known usage, there is no replacement feature for JMX Subject Delegation.

The deprecation of this feature will have no impact on other JMX features, the JMX agent used for local and remote monitoring, the built-in instrumentation of the Java virtual machine, or tooling that uses JMX.
Comments
Changeset: 4e631fa4 Author: Kevin Walls <kevinw@openjdk.org> Date: 2023-03-14 16:59:27 +0000 URL: https://git.openjdk.org/jdk/commit/4e631fa43fd821846c12ae2177360c44cf770766
14-03-2023
Some other methods in the exported API of JMX packages also take an optional delegationSubject as parameter (where optional means: it may be null, if no delegation). These methods cannot be deprecated unless other methods that do not have this parameter are added, but the impact of doing so on backward compatibility and interoperability is unclear. (see javax.management.remote.rmi.RMIConnector pointed by Mandy, there are more methods than getMBeanServerConnection)
16-02-2023
javax.management.remote.rmi.RMIConnector::getMBeanServerConnection(Subject) should also be deprecated for removal. This requires investigation on the interoperability of client/server running with different JDK versions.
16-02-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk/pull/11880 Date: 2023-01-06 12:02:37 +0000
31-01-2023