Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature] dubbo uses setSecurityManager which is now deprecated on JDK 17 #14512

Open
3 of 4 tasks
zjf88865 opened this issue Aug 11, 2024 · 4 comments
Open
3 of 4 tasks
Labels
component/need-triage Need maintainers to triage type/need-triage Need maintainers to triage

Comments

@zjf88865
Copy link

Pre-check

  • I am sure that all the content I provide is in English.

Search before asking

  • I had searched in the issues and found no similar feature requirement.

Apache Dubbo Component

Java SDK (apache/dubbo)

Descriptions

dubbo uses setSecurityManager which is now deprecated on JDK 17 ,
Running untrusted code is a hard problem, and unfortunately history has shown Java's approach to it flawed. Given it's history of vulnerabilities it isn't wildly used and nobody really wants to be responsible for its maintenance.

The future of running untrusted code might be WASM/WASI, although it's not clear to me if there will ever be a system that is resistant to spectre-style attacks.
The SecurityManager design was flawed, not because it didn't work (per se), but because it followed an operation-level "deny" model instead of a module-level "grant" model. If an applet wants to read/write files, it has access to the entire java.io package, and so every single method in that package needs to consult the SecurityManager to deny specific operations.

When Java was new, the API was extremely tiny, and so the SecurityManager design made sense because it was easy to identify all the methods that needed a security check. As new JDK features were added, it was easy to make mistakes and let privileged operations be unchecked.

A better model is to define a generic java.io package that just provides basic stream classes, and define a java.file module for file-specific stuff. An applet can access java.io, but it cannot access java.file. Instead, it has a special java.applet.file module it can use. This makes it much easier to lock down the feature set while still allowing new features to be added to the general purpose java.file module.

In theory, the module system provides all the tools for making a better security manager, but sadly, the java.io, java.net, and java.nio packages are all in the base module. Until these packages are broken up (and the original classes deprecated/removed), there's no practical way to support JVM-level security. Instead, applications which want to securely support applets/plugins must run each one in a separate container, with a separate JVM, wasting memory and CPU cycles by doing so.

With the widespread use of spring boot 3,, JDK 8 will certainly become history. If you want to be safe, you should consider the security of running containers, such as using docker, gvisor or firecracker. If you can't achieve absolute security at the operating system level, You might want to look into GraalVM's sandboxes: https://www.graalvm.org/latest/security-guide/polyglot-sandbox/
While it mentions polyglot, it works also with traditional Java. This might be the future solution if you can't allow for process boundaries. rather than the security manage

From a business perspective, jdk8 version 202 or later will be charged. Since dubbo3.3 already supports spring boot3, do we still need to use the expired API? Will there be unpredictable risks with the new version?

Related issues

No response

Are you willing to submit a pull request to fix on your own?

  • Yes I am willing to submit a pull request on my own!

Code of Conduct

@zjf88865 zjf88865 added component/need-triage Need maintainers to triage type/need-triage Need maintainers to triage labels Aug 11, 2024
@AlbumenJ
Copy link
Member

image
I cannot find it

@zjf88865
Copy link
Author

zjf88865 commented Aug 15, 2024

image I cannot find it

image
Uploading image.png…

@AlbumenJ
Copy link
Member

Imgs are broken

@zjf88865
Copy link
Author

zjf88865 commented Sep 4, 2024

Imgs are broken

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component/need-triage Need maintainers to triage type/need-triage Need maintainers to triage
Projects
Status: Todo
Development

No branches or pull requests

2 participants