Java 21 JDK Prepares Developers For Permission Based Instrumentation

With the major security shift, messing with Java integrity ramparts will soon require an explicit permission

Java 21 JDK was released on 19th September 2023, just two months ago. One of the interesting topics of this release revolves around improved security.

With the release there are warnings when agents will be loaded dynamically. It’s a preparation to gap the biggest security threat to Java apps.

Agents are pieces of code that can tap into an existing Java app and mangle with the bytecode. It sounds fun, until you realize someone can inject malcious code into your favorite agent.

Let’s say you have such code:

If user is an admin than drop the database

But you add a rogue agent that modifies the code to:

drop the database

There is a group of other Java APIs that allow similar stuff. These are APIs for reflection and unsafe code execution that can access Java data.

All of these can ignore that you set your classes or methods or properties as private. There are cases where it’s useful, for example serialization, documentation tools, logging tools and…