JDK-8354406 : Deprecate URL::getPermission method and networking permission classes for removal
  • Type: CSR
  • Component: core-libs
  • Sub-Component: java.net
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 25
  • Submitted: 2025-04-11
  • Updated: 2025-05-09
  • Resolved: 2025-05-09
Related Reports
CSR :  
JDK-8353642 - Deprecate URL::getPermission method and networking permission classes for removal
Description
Summary
-------

Permission classes used by the now removed Security Manager are deprecated for removal including `NetPermission`, `NetworkPermission`, `URLPermission`. The `URL::getPermission` method serves little purpose and is also deprecated for removal. 
Note that `SocketPermission` is not deprecated at this time, due to a dependency from `java.security.CodeSource`.
Deprecation of `SocketPermission` will be the object of a future RFE/CSR (JDK-8356557). 

Problem
-------
Now that JEP 486 has been integrated and the Security Manager is permanently disabled, the following permission classes in the core libraries are no longer useful: `NetPermission`, `NetworkPermission`, `URLPermission`. Some public subclasses of `URLConnection` are overriding the `URLConnection::getPermission` method and are specified to return instances of the deprecated permission classes. As such,  the `URLConnection::getPermission` method should also be deprecated for removal in `URLConnection` and its subclasses.

Solution
--------

The following classes in the public API are deprecated for removal:

 - `java.net.NetPermission`,
 - `jdk.net.NetworkPermission`,
 - `java.net.URLPermission`

The following methods in the public API are deprecated for removal:

 - `java.net.URLConnection::getPermission`
 - `java.net.HttpURLConnection::getPermission`

Specification
-------------

For the classes `NetPermission`, `NetworkPermission`, `URLPermission`, each class adds the annotation indicating the deprecation for removal.

```
@Deprecated(since = "25", forRemoval = true)
```

The '@apiNote' in each class is changed to '@deprecated' so that the javadoc for each class includes the text:

> Deprecated, for removal: This API element is subject to removal in a future version.

The existing text describing the deprecation is retained:

> This permission cannot be used for controlling access to resources as the Security Manager is no longer supported.

For `URLConnection::getPermission` and `HttpURLConnection::getPermission`, each method adds the annotation indicating the deprecation for removal:

```
@Deprecated(since = "25", forRemoval = true)
```

In addition an `@deprecated` tag is added to the API documentation of the methods:

For `URLConnection::getPermission`:

```
    /**
     * [...]
     * @deprecated
     * Permissions can no longer be used for controlling access to resources
     * as the Security Manager is no longer supported.
     */
    @Deprecated(since = "25", forRemoval = true)
    public Permission getPermission() throws IOException {
```

For `HttpURLConnection::getPermission`:

```
    /**
     * [...]
     * @deprecated
     * Permissions can no longer be used for controlling access to resources
     * as the Security Manager is no longer supported.
     */
    @Deprecated(since = "25", forRemoval = true)
    public Permission getPermission() throws IOException {
```
Comments
Moving to Approved.
09-05-2025
Patch `8353642-03.diff` attached. This corresponds to the patch in the [3rd and last webrev][1] of the [PR][2]. [1]: https://openjdk.github.io/cr/?repo=jdk&pr=24592&range=03 [2]: https://github.com/openjdk/jdk/pull/24592
09-05-2025
Moving to Provisional.
08-05-2025