Java 21 JDK Prepares Developers For Permission Based Instrumentation

With the major security shift, messing with Java integrity ramparts will soon require an explicit permission

Java 21 JDK was released on 19th September 2023, just two months ago. One of the interesting topics of this release revolves around improved security.

With the release there are warnings when agents will be loaded dynamically. It’s a preparation to gap the biggest security threat to Java apps.

Agents are pieces of code that can tap into an existing Java app and mangle with the bytecode. It sounds fun, until you realize someone can inject malcious code into your favorite agent.

Let’s say you have such code:

If user is an admin than drop the database

But you add a rogue agent that modifies the code to:

drop the database

There is a group of other Java APIs that allow similar stuff. These are APIs for reflection and unsafe code execution that can access Java data.

All of these can ignore that you set your classes or methods or properties as private. There are cases where it’s useful, for example serialization, documentation tools, logging tools and all other instrumentation solutions may need to access your private elements and modify your code.

However, we live in the times where we can believe less and less in safety of third party libraries and tools. Meaning, a tool we use can suddenly contain a code that will explore private code that protects the safety of our apps.

To prevent such actions, Java is moving torwards an architecture, where on default, integrity of your app will be preserved.

Practically it means some APIs will change, and to use others, tools and libraries will have to obtain an explicit permission.

As an end result of this process developers will be able to assume domain invariant in a global scope. Meaning nothing will be able to change the behavior or private stuff without an explicit permission in the app execution parameter or configuration.