JDK-8362175 : Update CodeSource::implies API documentation and deprecate java.net.SocketPermission class for removal
  • Type: CSR
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 26
  • Submitted: 2025-07-14
  • Updated: 2025-07-22
  • Resolved: 2025-07-22
Related Reports
CSR :  
JDK-8356557 - Update CodeSource::implies API documentation and deprecate java.net.SocketPermission class for removal
Description
Summary
-------

Deprecate `java.net.SocketPermission` for removal. Remove dependencies on `SocketPermission` from `java.security.CodeSource.implies()`.

Problem
-------

`SocketPermission` should be deprecated for removal as has already been done for many other `Permission` subclasses - see [JDK-8353680](https://bugs.openjdk.org/browse/JDK-8353680). However, `CodeSource.implies()` has specification dependencies on `SocketPermission` which requires additional changes to decouple those dependencies.

We want to decouple these dependencies so `SocketPermission` and `CodeSource.implies()` can be deprecated and/or removed independently of each other.

Solution
--------

Deprecate `SocketPermission` for removal. Remove the dependencies on `SocketPermission` from `CodeSource.implies()` by copying the relevant conditions from `SocketPermission.implies()`.

This is strictly a docs change. There is no behavior change. The implementation remains the same.

Note that we may also eventually deprecate `CodeSource.implies` for removal but that requires more investigation.

Specification
-------------

For `SocketPermission`, the `Deprecated` annotation is added indicating deprecation for removal:
 
    
    @Deprecated(since="26", forRemoval = true)
    
The `@apiNote` is changed to `@deprecated` so that the javadoc includes the text:

    
    This permission cannot be used for controlling access to resources as the Security Manager is no longer supported.
    
For `CodeSource.implies()`, the following condition:

  *  If this object's host (getLocation().getHost()) is not null, then the
     SocketPermission constructed with this object's host must imply the
     SocketPermission constructed with <i>codesource</i>'s host.

is replaced with:

  *  If this object's host (getLocation().getHost()) is not null,
     then the following checks are made in order:

    * If this object's host was initialized with a single IP
      address then one of <i>codesource</i>'s IP addresses must be
      equal to this object's IP address.
    * If this object's host is a wildcard domain (such as
      *.example.com), then <i>codesource</i>'s canonical host name
      (the name without any preceding *) must end with this object's
      canonical host name. For example, *.example.com implies
      *.foo.example.com.
    * If this object's host was not initialized with a single
      IP address, then one of this object's IP addresses must equal
      one of <i>codesource</i>'s IP addresses or this object's
      canonical host name must equal <i>codesource</i>'s canonical
      host name.
Comments
Moving to Approved.
22-07-2025