JDK-24: the death of SecurityManager

It has happened: after many years of deprecation warnings and back-and-forth conversations, the SecurityManager is effectively dead. JDK-24, released just last week, sets a final point in this long story. But there is no time to grieve, so many new features in JDK-24 to talk about!

The JDK-24 is really packed with JEPs, nonetheless some of them are being dragged from the previous JDK releases. Let us kick off from the finalized features first, with the preview / experimental / incubating to follow right after.

• JEP-472: Prepare to Restrict the Use of JNI: issues warnings about uses of the Java Native Interface (JNI) and adjusts the Foreign Function & Memory (FFM) API to issue warnings in a consistent manner. All such warnings aim to prepare developers for a future release that ensures integrity by default by uniformly restricting JNI and the FFM API. Application developers can avoid both current warnings and future restrictions by selectively enabling these interfaces where essential.

  Code that uses JNI is affected by native access restrictions if

  • It calls System::loadLibrary, System::load, Runtime::loadLibrary, or Runtime::load, or
  • It declares a native method.

  The following warnings are going to be issued:

       WARNING: A restricted method in java.lang.System has been called
       WARNING: java.lang.System::loadLibrary has been called by com.example.LoadLibraryRunner in an unnamed module (...)
       WARNING: Use --enable-native-access=ALL-UNNAMED to avoid a warning for callers in this module
       WARNING: Restricted methods will be blocked in a future release unless native access is enabled

  As per the hints above, to enable native access selectively, you could use the following command-line options:

  • $ java --enable-native-access=ALL-UNNAMED ... (all code on the class path)
  • $ java --enable-native-access=M1,M2, ... (specific modules on the module path)

  Alternatively, you could add Enable-Native-Access: ALL-UNNAMED to the manifest of an executable JAR file (MANIFEST.MF). The only supported value for the Enable-Native-Access manifest entry is ALL-UNNAMED; other values cause an exception to be thrown. For more details, please check Quality Outreach Heads-up - JDK 24: Prepares Restricted Native Access write-up.

• JEP-498: Warn upon Use of Memory-Access Methods in sun.misc.Unsafe: issues a warning at run time on the first occasion that any memory-access method in sun.misc.Unsafe is invoked. All of these unsupported methods were terminally deprecated in JDK 23. They have been superseded by standard APIs, namely the VarHandle API (JEP 193, JDK 9) and the Foreign Function & Memory API (JEP 454, JDK 22).

  In case when usage of the sun.misc.Unsafe memory-access methods is detected, the following warnings are going to be issued:

       WARNING: A terminally deprecated method in sun.misc.Unsafe has been called
       WARNING: sun.misc.Unsafe::allocateMemory has been called by com.example.UnsafeRunner (...)
       WARNING: Please consider reporting this to the maintainers of class com.example.UnsafeRunner
       WARNING: sun.misc.Unsafe::allocateMemory will be removed in a future release

• JEP-491: Synchronize Virtual Threads without Pinning: improves the scalability of Java code that uses synchronized methods and statements by arranging for virtual threads that block in such constructs to release their underlying platform threads for use by other virtual threads. This will eliminate nearly all cases of virtual threads being pinned to platform threads, which severely restricts the number of virtual threads available to handle an application's workload.

• JEP-475: Late Barrier Expansion for G1: simplifies the implementation of the G1 garbage collector's barriers, which record information about application memory accesses, by shifting their expansion from early in the C2 JIT's compilation pipeline to later.

• JEP-479: Remove the Windows 32-bit x86 Port: removes the source code and build support for the Windows 32-bit x86 port. This port was deprecated for removal in JDK 21 with the express intent to remove it in a future release.

• JEP-490: ZGC: Remove the Non-Generational Mode: removes the non-generational mode of the Z Garbage Collector (ZGC), keeping the generational mode as the default for ZGC.

• JEP-501: Deprecate the 32-bit x86 Port for Removal: deprecates the 32-bit x86 port, with the intent to remove it in a future release. This will thereby deprecate the Linux 32-bit x86 port, which is the only 32-bit x86 port remaining in the JDK. It will also, effectively, deprecate any remaining downstream 32-bit x86 ports. After the 32-bit x86 port is removed, the architecture-agnostic Zero port will be the only way to run Java programs on 32-bit x86 processors.

• JEP-493: Linking Run-Time Images without JMODs: reduces the size of the JDK by approximately 25% by enabling the jlink tool to create custom run-time images without using the JDK's JMOD files. This feature must be enabled when the JDK is built; it will not be enabled by default, and some JDK vendors may choose not to enable it.

• JEP-496: Quantum-Resistant Module-Lattice-Based Key Encapsulation Mechanism: enhances the security of Java applications by providing an implementation of the quantum-resistant Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM). Key encapsulation mechanisms (KEMs) are used to secure symmetric keys over insecure communication channels using public key cryptography. ML-KEM is designed to be secure against future quantum computing attacks. It has been standardized by the United States National Institute of Standards and Technology (NIST) in FIPS 203.

• JEP-497: Quantum-Resistant Module-Lattice-Based Digital Signature Algorithm: enhances the security of Java applications by providing an implementation of the quantum-resistant Module-Lattice-Based Digital Signature Algorithm (ML-DSA). Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of signatories. ML-DSA is designed to be secure against future quantum computing attacks. It has been standardized by the United States National Institute of Standards and Technology (NIST) in FIPS 204.

• JEP-484: Class-File API: provides a standard API for parsing, generating, and transforming Java class files. This JEP finalizes the Class-File API that was originally proposed as a preview feature by JEP 457 in JDK 22 and refined by JEP 466 in JDK 23.

• JEP-486: Permanently Disable the Security Manager: removes the abilities to enable the Security Manager when starting the Java runtime (java -Djava.security.manager ...) or to install a Security Manager while an application is running (System::setSecurityManager).

  It is worth to mention that the impacted APIs changes are going way beyond just Security Manager, notably:

  • AccessController::checkPermission always throws java.security.AccessControlException
  • Policy::setPolicy always throws java.lang.UnsupportedOperationException
  • Policy::getInstance methods always throw java.security.NoSuchAlgorithmException
  • SecurityManager::check* methods always throw java.lang.SecurityException
  • Subject::getSubject always throws java.lang.UnsupportedOperationException
  • java.lang.SecurityException has been removed from most of the JDK's method signatures

• JEP-483: Ahead-of-Time Class Loading & Linking: improves startup time by making the classes of an application instantly available, in a loaded and linked state, when the HotSpot Java Virtual Machine starts. Achieve this by monitoring the application during one run and storing the loaded and linked forms of all classes in a cache for use in subsequent runs. Lay a foundation for future improvements to both startup and warmup time.

  This one is probably the first tangible deliverable of the Project Leyden, and an exciting one. The process to create a cache takes two steps.

  First, run the application once, in a training run, to record its AOT configuration, in this case into the file app.aotconf:

      $ java -XX:AOTMode=record -XX:AOTConfiguration=app.aotconf -cp app.jar com.example.App ...
      

  Second, use the configuration to create the cache, in the file app.aot (this step doesn’t run the application, it just creates the cache):

      $ java -XX:AOTMode=create -XX:AOTConfiguration=app.aotconf -XX:AOTCache=app.aot -cp app.jar
      

  Subsequently, in testing or production, run the application with the cache (if the cache file is unusable or does not exist then the JVM issues a warning message and continues):

      $ java -XX:AOTCache=app.aot -cp app.jar com.example.App ...
      

The process is somewhat verbose at the moment, but no doubts, there are strong indications that the improvements are coming in the next release(s).

• JEP-485: Stream Gatherers: enhances the Stream API to support custom intermediate operations. This will allow stream pipelines to transform data in ways that are not easily achievable with the existing built-in intermediate operations.

  From the API perspective, the changes include:

  • new intermediate default <R> Stream<R> gather(Gatherer<? super T, ?, R> gatherer) operation on java.util.stream.Stream that processes the elements of a stream by applying a user-defined entity called a gatherer
  • new interface Gatherer<T,A,R>
  • new class Gatherers, factory of implementations of Gatherer<T,A,R> that provide useful intermediate operations, such as windowing functions, folding functions, transforming elements concurrently, etc.

  Please check recently published The Gatherer API tutorial for more in-depth API design overview and different usage scenarios.

It was a lot but we are far from done yet, the list of preview / experimental / incubating features is as impressive:

• JEP-478: Key Derivation Function API (Preview): introduces an API for Key Derivation Functions (KDFs), which are cryptographic algorithms for deriving additional keys from a secret key and other data. This is a preview API feature.

• JEP-487: Scoped Values (Fourth Preview): introduces scoped values, which enable a method to share immutable data both with its callees within a thread, and with child threads. Scoped values are easier to reason about than thread-local variables. They also have lower space and time costs, especially when used together with virtual threads (JEP 444) and structured concurrency (JEP 480). This is a preview API feature.

• JEP-489: Vector API (Ninth Incubator): introduces an API to express vector computations that reliably compile at runtime to optimal vector instructions on supported CPU architectures, thus achieving performance superior to equivalent scalar computations.

• JEP-499: Structured Concurrency (Fourth Preview): simplifies concurrent programming by introducing an API for structured concurrency. Structured concurrency treats groups of related tasks running in different threads as a single unit of work, thereby streamlining error handling and cancellation, improving reliability, and enhancing observability. This is a preview API feature.

• JEP-494: Module Import Declarations (Second Preview): enhances the Java programming language with the ability to succinctly import all of the packages exported by a module. This simplifies the reuse of modular libraries, but does not require the importing code to be in a module itself. This is a preview language feature that we have covered previously.

• JEP-488: Primitive Types in Patterns, instanceof, and switch (Second Preview): enhances pattern matching by allowing primitive types in all pattern contexts, and extend instanceof and switch to work with all primitive types. This is a preview language feature that we have covered previously.

• JEP-404: Generational Shenandoah (Experimental): enhances the Shenandoah garbage collector with experimental generational collection capabilities to improve sustainable throughput, load-spike resilience, and memory utilization. This experimental feature could be activated through the JVM command line options:

  $ java -XX:+UseShenandoahGC -XX:+UnlockExperimentalVMOptions -XX:ShenandoahGCMode=generational ... 

• JEP-450: Compact Object Headers (Experimental): reduces the size of object headers in the HotSpot JVM from between 96 and 128 bits down to 64 bits on 64-bit architectures. This will reduce heap size, improve deployment density, and increase data locality. This experimental feature could be is activated through the JVM command line options:

  $ java -XX:+UnlockExperimentalVMOptions -XX:+UseCompactObjectHeaders ... 

• JEP-492: Flexible Constructor Bodies (Third Preview): in constructors in the Java programming language, allows statements to appear before an explicit constructor invocation, i.e., super(..) or this(..). The statements cannot reference the instance under construction, but they can initialize its fields. Initializing fields before invoking another constructor makes a class more reliable when methods are overridden. This is a preview language feature.

• JEP-495: Simple Source Files and Instance Main Methods (Fourth Preview): evolves the Java programming language so that beginners can write their first programs without needing to understand language features designed for large programs. Far from using a separate dialect of the language, beginners can write streamlined declarations for single-class programs and then seamlessly expand their programs to use more advanced features as their skills grow. Experienced developers can likewise enjoy writing small programs succinctly, without the need for constructs intended for programming in the large. This is a preview language feature.

The amount of features we just looked at is astonishingly large for just one release, but let us take a look on some other fixes and improvements that went into JDK-24:

• JDK-8338890: Add monitoring/management interface for the virtual thread scheduler: introduces a new JDK-specific monitoring and management interface named jdk.management.VirtualThreadSchedulerMXBean to monitor and manage the virtual thread scheduler with JMX based tooling.

• JDK-8334026: Provide a diagnostic PrintMemoryMapAtExit switch on Linux: adds a new command line option -XX:+UnlockDiagnosticVMOptions -XX:+PrintMemoryMapAtExit to be able to get an annotated memory map at exit.

• JDK-8340821: Umbrella: Improve FFM Bulk Operations: an umbrella issue for a set of FFM API bulk operation improvements.

• JDK-8336856: Efficient Hidden Class-Based String Concatenation Strategy: seeks to unify bootstrapping JEP-280: Indify String Concatenation expressions strategies into a single one that uses per-shape class generation emitting code semantically similar to the optimized MH expression tree.

• JDK-8333867: SHA3 Performance Can be Improved: improves SHA3 performance by eliminating unnecessary conversions.

• JDK-8338542 Umbrella: Reduce Startup Overhead Associated with Migration to ClassFile API: an umbrella issue for reducing startup overhead associated with migration of java.lang.invoke package to ClassFile API.

• JDK-8180450: secondary_super_cache does not scale well: improvements related to better scaling of the secondary_super_cache.

• JDK-8320448: Accelerate IndexOf Using AVX2: rewrites the String::indexOf code without the use of the pcmpestri instruction, only using AVX2 instructions (this change accelerates String::indexOf on average 1.3x for AVX2).

• JDK-8343791: Socket.connect Closes the Socket If the Connection Cannot Be Established: the new SocketImpl introduced under JEP-353 did not close the underlying socket when the connect method rejected an unresolved address.

• JDK-8342075: HttpClient: improve HTTP/2 flow control checks: the HttpClient should report flow control issues to the server as FLOW_CONTROL_ERROR.

• JDK-8324209: Check implementation of Expect: 100-continue in the java.net.http.HttpClient: the HttpClient would previously timeout if a server didn’t respond to a request which included a Expect: 100-Continue header.

• JDK-8319993: Update Unicode Data Files to 16.0.0: support for Unicode 16.0

• JDK-8333582: Update CLDR to Version 46.0: support for CLDR Version 46.

The JDK-24 tooling updates bring some new capabilities and deprecations:

• JDK-8173970: jar tool should have a way to extract to a directory: The jar tool's extract operation has been enhanced to allow the --dir or the -C options to be used to specify the directory where the archive will be extracted.

• JDK-8335912: Add an operation mode to the jar command when extracting to not overwriting existing files: the jar tool's extract operation has been enhanced to allow the --keep-old-files and the -k options to be used in preventing the overwriting of existing files.

• JDK-8337199: Add jcmd Thread.vthread_scheduler and Thread.vthread_pollers diagnostic commands: brings two new jcmd commands:

  • $ jcmd <pid> Thread.vthread_scheduler to print the virtual thread scheduler
  • $ jcmd <pid> Thread.vthread_pollers to print the I/O pollers that support virtual threads doing blocking network I/O operations

• JDK-8327793: jstatd Is Deprecated for Removal: to reduce dependencies on RMI, the jstatd tool should be removed.

• JDK-8338894: Deprecate jhsdb debugd for removal: the debugd subcommand of the jhsdb tool is deprecated, for removal in a future release.

Sadly, there are few regressions to be aware of that sneaked into JDK-24 release:

• JDK-8350820: OperatingSystemMXBean CpuLoad() Methods Return -1.0 on Windows: on Windows, the OperatingSystemMXBean CPU load methods, such as getSystemCpuLoad, getCpuLoad, and getProcessCpuLoad, always return -1.

• JDK-8349637: IInteger.numberOfLeadingZeros outputs incorrectly in certain cases: the method Integer.numberOfLeadingZeros(int) may return an incorrect result on x86_64 with AVX2.

Last but not least, let us look over the changes to the standard library:

• In scope of JDK-8341566: New Reader.of(CharSequence), one new method was introduced into java.io.Reader class:

  • static Reader of(CharSequence cs)

• The JDK-8336479: Provide Process.waitFor(Duration) adds a new method to java.lang.Process class:

  • boolean waitFor(Duration duration) throws InterruptedException

• The class java.io.Console got a few new methods:

  • Console println()

  • String readln()

• The class java.io.IO got two new methods:

  • static void println()

  • static String readln()

To close up, a couple of security related enhancements that deserve closer look:

• JDK-8341964: Add mechanism to disable different parts of TLS cipher suite: TLS cipher suites can be disabled with the jdk.tls.disabledAlgorithms security property in the java.security configuration file using one or more '*' wildcard characters.

• JDK-8319332: Security properties files inclusion: the java.security security properties file, and those referred to by the java.security.properties system property, now support including other properties files. The directive include <path-to-a-file> can be used for this purpose. Please refer to Quality Outreach Heads-up - JDK 24: Security Properties Files Inclusion for more details.

I think it is fair to say that JDK-24 is an outstanding (and at the same time, disruptive to some) release that prepares the ground for the next LTS version, JDK-25, which is expected to land later this year.

I 🇺🇦 stand 🇺🇦 with 🇺🇦 Ukraine.

JDK-21: green threads are officially back!

The JDK-21 is there, bringing virtual threads (back) into JVM as a generally available feature (if you are old enough like myself, you might have remembered that in Java 2 releases prior to 1.3 the JVM used its own threads library, known as green threads, to implement threads in the Java platform). This is big, but what else is coming?

• JEP-431: Sequenced Collections: introduces new interfaces to represent collections with a defined encounter order. Each such collection has a well-defined first element, second element, and so forth, up to the last element. It also provides uniform APIs for accessing its first and last elements, and for processing its elements in reverse order.

  The following new interfaces have been introduced (and retrofitted into the existing collections type hierarchy), potentially a breaking change for some library implementors:

  • java.util.SequencedCollection
  • java.util.SequencedMap
  • java.util.SequencedSet

• JEP-439: Generational ZGC: improves application performance by extending the Z Garbage Collector (ZGC) to maintain separate generations for young and old objects. This will allow ZGC to collect young objects — which tend to die young — more frequently.

  By default, the -XX:+UseZGC command-line option selects non-generational ZGC, but to select the Generational ZGC, additional command line option -XX:+ZGenerational is required:

  $ java -XX:+UseZGC -XX:+ZGenerational ...
  

• JEP-440: Record Patterns: enhances the Java programming language with record patterns to deconstruct record values. Record patterns and type patterns can be nested to enable a powerful, declarative, and composable form of data navigation and processing. This is certainly a huge step towards having a powerful, feature-rich pattern matching capabilities in the language:

      interface Host {}
      record TcpHost(String name, int port) implements Host {}
      record HttpHost(String scheme, String name, int port) implements Host {}
      

  The are several places the records could be deconstructed, instanceof check being one of those:

      final Host host = new HttpHost("https", "localhost", 8080);
      if (host instanceof HttpHost(var scheme, var name, var port)) {
          ... 
      } else if (host instanceof TcpHost(var name, var port)) {
          ...
      }
      

• JEP-441: Pattern Matching for switch: enhances the Java programming language with pattern matching for switch expressions and statements. Extending pattern matching to switch allows an expression to be tested against a number of patterns, each with a specific action, so that complex data-oriented queries can be expressed concisely and safely.

  Considering the example with the records deconstruction from above, we could use record patterns in switch expressions too:

          var hostname = switch(host) {
              case HttpHost(var scheme, var name, var port) -> name;
              case TcpHost(var name, var port) -> name;
              default -> throw new IllegalArgumentException("Unknown host");
          };
      

  But the switch patterns are much more powerful, with guards to pattern case labels, null labels, etc.

          final Object obj = ... ; 
          var o = switch (obj) {
              case null ->  ... ;
              case String s -> ... ;
              case String[] a when a.length == 0 -> ... ;
              case String[] a -> ... ;
              default ->  ... ;
          }
      

• JEP-444: Virtual Threads: introduces virtual threads to the Java Platform. Virtual threads are lightweight threads that dramatically reduce the effort of writing, maintaining, and observing high-throughput concurrent applications. The virtual threads and executors could be used along the traditional ones, following the same familiar API:

      try (var executor = Executors.newVirtualThreadPerTaskExecutor()) {
          executor.submit(() -> {
                  ...
          });
      }  
      

  Some of the quirks of the virtual threads we have discussed previously here and here, but there is one more: you could use them in parallel streams, but should you? The answer is a bit complicated, so referring you to Virtual Threads and Parallel Streams article if you are looking for clarity.

  The JDK tooling (like jcmd and jfr) has been updated to include the information about virtual threads where applicable.

  The jcmd thread dump lists virtual threads that are blocked in network I/O operations and virtual threads that are created by the ExecutorService interface. It does not include object addresses, locks, JNI statistics, heap statistics, and other information that appears in traditional thread dumps (as per Viewing Virtual Threads in jcmd Thread Dumps).

  Java Flight Recorder (JFR) can emit these events related to virtual threads (as per Java Flight Recorder Events for Virtual Threads):

  • jdk.VirtualThreadStart and jdk.VirtualThreadEnd (disabled by default)
  • jdk.VirtualThreadPinned (enabled by default with a threshold of 20 ms)
  • jdk.VirtualThreadSubmitFailed (enabled by default)

  It is worth noting that Oracle has published a comprehesive guide on virtual threads as par of JDK-21 documentation update.

• JEP-449: Deprecate the Windows 32-bit x86 Port for Removal: deprecates the Windows 32-bit x86 port, with the intent to remove it in a future release.

• JEP-451: Prepare to Disallow the Dynamic Loading of Agents: issues warnings when agents are loaded dynamically into a running JVM. These warnings aim to prepare users for a future release which disallows the dynamic loading of agents by default in order to improve integrity by default. Serviceability tools that load agents at startup will not cause warnings to be issued in any release.

  Running with -XX:+EnableDynamicAgentLoading on the command line serves as an explicit "opt-in" that allows agent code to be loaded into a running VM and thus suppresses the warning. Running with -XX:-EnableDynamicAgentLoading disallows agent code from being loaded into a running VM and can be used to test possible future behavior.

  In addition, the system property jdk.instrument.traceUsage can be used to trace uses of the java.lang.instrument API. Running with -Djdk.instrument.traceUsage or -Djdk.instrument.traceUsage=true causes usages of the API to print a trace message and stack trace. This can be used to identify agents that are dynamically loaded instead of being started on the command line with -javaagent.

• JEP-452: Key Encapsulation Mechanism API: introduces an API for key encapsulation mechanisms (KEMs), an encryption technique for securing symmetric keys using public key cryptography. The new APIs are centered around javax.crypto.KEM and javax.crypto.KEMSpi abstractions.

• JEP-430: String Templates (Preview): enhances the Java programming language with string templates. String templates complement Java's existing string literals and text blocks by coupling literal text with embedded expressions and template processors to produce specialized results. This is a preview language feature and API.

• JEP-453: Structured Concurrency (Preview): simplifies concurrent programming by introducing an API for structured concurrency. Structured concurrency treats groups of related tasks running in different threads as a single unit of work, thereby streamlining error handling and cancellation, improving reliability, and enhancing observability. This is a preview language feature and API.

• JEP-443: Unnamed Patterns and Variables (Preview): enhances the Java language with unnamed patterns, which match a record component without stating the component's name or type, and unnamed variables, which can be initialized but not used. Both are denoted by an underscore character, _. This is a preview language feature.

• JEP-445: Unnamed Classes and Instance Main Methods (Preview): evolves the Java language so that students can write their first programs without needing to understand language features designed for large programs. Far from using a separate dialect of Java, students can write streamlined declarations for single-class programs and then seamlessly expand their programs to use more advanced features as their skills grow. This is a preview language feature.

• JEP-446: Scoped Values (Preview): introduces scoped values, values that may be safely and efficiently shared to methods without using method parameters. They are preferred to thread-local variables, especially when using large numbers of virtual threads. This is a preview language API.

  In effect, a scoped value is an implicit method parameter. It is "as if" every method in a sequence of calls has an additional, invisible, parameter. None of the methods declare this parameter and only the methods that have access to the scoped value object can access its value (the data). Scoped values make it possible to pass data securely from a caller to a faraway callee through a sequence of intermediate methods that do not declare a parameter for the data and have no access to the data.

• JEP-442: Foreign Function & Memory API (3rd Preview): introduces an API by which Java programs can interoperate with code and data outside of the Java runtime. By efficiently invoking foreign functions (i.e., code outside the JVM), and by safely accessing foreign memory (i.e., memory not managed by the JVM), the API enables Java programs to call native libraries and process native data without the brittleness and danger of JNI. This is a preview language API.

• JEP-448: Vector API (6th Incubator): introduces an API to express vector computations that reliably compile at runtime to optimal vector instructions on supported CPU architectures, thus achieving performance superior to equivalent scalar computations.

Those JEPs are the themes of JDK-21 but what other features are coming? There are quite a few to unpack to be fair.

• JDK-8296344: Remove Dependency on G1 for Writing the CDS Archive Heap: in previous JDKs, the dumping of the CDS archive heap has complex interactions with G1, however in JDK-21 those have been removed. That also makes it possible to dump the archive heap with non-G1 collectors.

• JDK-8298048: Combine CDS Archive Heap into a Single Block: combines all objects in the CDS archive heap into a single, contiguous block.

• JDK-8296263: Uniform APIs for Using Archived Heap Regions: replaces two different mechanisms that existed for using archived heap regions stored in a CDS archive with unified one to be used for all GC policies.

• JDK-8298966: Deprecate JMX Subject Delegation and the method JMXConnector.getMBeanServerConnection(Subject) for removal: deprecates the Java Management Extension (JMX) Subject Delegation feature for removal in a future release. The feature is enabled by the method getMBeanServerConnection(javax.security.auth.Subject) of the JMXConnector class which will be deprecated for removal.

• JDK-8311073: Note if implicit annotation processing is being used: by default, the long-standing policy is that annotation processing is implicitly enabled. As that policy may change in the future, the users should get some notice they are relying on implicit processing.

• JDK-8303530: Redefine JAXP Configuration File: provides the way to specify the properties file to be used by JAXP factories during the initialization outside of the JDK by specifying jdk.xml.config.file system property.

• JDK-8306703: JFR: Summary views: provides means to visualize aggregated event data from the shell. There are 70 predefined views, such as hot-methods, gc-pauses, pinned-threads, allocation-by-site, gc, memory-leaks-by-class, and more. A list of available views can be found through using jcmd <pid> JFR.view or jfr view <recoding> commands, for example:

  jcmd <pid> JFR.view allocation-by-site
  jcmd <pid> JFR.view hot-methods
  jcmd <pid> JFR.view
  
  jcmd <pid> JFR.view maxage=1h maxsize=2000MB gc-pauses
  jcmd <pid> JFR.view cell-height=3 truncate=beginning width=80 system-processes
  
  jfr view --cell-height 2 FreeMemory <recoding>
  jfr view --verbose gc <recoding>
      

• JDK-8267140: Support closing the HttpClient by making it auto-closable: the HttpClient now implements AutoCloseable and has been enriched with following new methods:

  • void close()

  • void shutdown()

  • void shutdownNow()

  • boolean awaitTermination(Duration duration)

  • boolean isTerminated()

• JDK-8306560: Add TOOLING.jsh load file: adds TOOLING.jsh load file to have better and built-in access for tools shipping with the JDK and their command-line interface. This is truly a gem since it is now possible to run tools provided by the Java Development Kit (JDK) in a JShell session (see please Running JDK Tools within a JShell Session for background).

  $ jshell TOOLING   
  |  Welcome to JShell -- Version 21
  |  For an introduction type: /help intro
  
  jshell> interface Empty {}
  jshell> javap(Empty.class)
    

  The list of available tools could be fetched using tools() method.

  jshell> tools()
  jar
  javac
  javadoc
  javap
  jdeps
  jlink
  jmod
  jpackage
  

• JDK-8015831: Add lint check for calling overridable methods from a constructor: this one was certainly on my wish list for a long time, the javac may issue a warning (new lint warning category this-escape) when detects the calling of the overridable methods in constructors (please check OpenJDK 21 Compiler Warning on Constructor Calling Overridable Methods for more details and excellent examples).

• JDK-8307466: java.time.Instant calculation bug in until and between methods: fixes the implementation of java.time.Instant.until(Temporal endExclusive, TemporalUnit unit) in some cases did not correctly borrow or carry from the nanos to the seconds when computing using ChronoUnit.MILLIS or ChronoUnit.MICROS.

• JDK-8027682: javac wrongly accepts semicolons in package and import decls: disallow extra semicolons between import statements, for example

  	import java.util.Map;;;;
  	import java.util.Set;
  

  will now generate a compiler error (but for backward compatibility, when compiling source versions prior to 21, a warning is generated instead of an error).

• JDK-8026369: javac potentially ambiguous overload warning needs an improved scheme: prior to JDK-21, the javac compiler was omitting some potentially ambiguous overload warnings enabled by the -Xlint:overloads option.

• JDK-8305092: Improve Thread.sleep(millis, nanos) for sub-millisecond granularity: as it says, the Thread.sleep(long millis, int nanos) is now able to perform sub-millisecond sleep.

• JDK-8302659: Modernize Windows native code for NetworkInterface: the change may impact the implementations that lookup of network interfaces by calling NetworkInterace.getByName(String name) method however the display name returned by NetworkInterface.getDisplayName() has not been changed.

• JDK-8300869: Make use of the Double.toString(double) algorithm in java.util.Formatter: replaces java.util.Formatter algorithm to format double and float with a the one used by Double.toString(double d).

• JDK-8205129: Remove java.lang.Compiler: the java.lang.Compiler class was deprecated for removal long time ago and it has been removed in JDK-21.

• JDK-8297295: Remove ThreadGroup.allowThreadSuspension: the method ThreadGroup.allowThreadSuspension was deprecated for removal since JDK-14 and its time has come.

The JDK-21 changeset looks already impressive but ... we are not done yet, let us walk through the standard library changes.

• New interfaces java.lang.constant.ModuleDesc and java.lang.constant.PackageDesc for describing Module and Package constants respectively.

• The com.sun.management.ThreadMXBean interface got one new default method:

  • default long getTotalThreadAllocatedBytes()

• The class java.util.concurrent.DelayQueue overrides:

  • java.util.concurrent.Delayed remove()

• As part of JDK-8301226, the java.lang.Math got new static method family:

  • static double clamp(double value, double min, double max)

  • static float clamp(float value, float min, float max)

  • static int clamp(long value, int min, int max)

  • static long clamp(long value, long min, long max)

• Under the same JDK-8301226 issue, the java.lang.StrictMath has those new methods too:

  • static double clamp(double value, double min, double max)

  • static float clamp(float value, float min, float max)

  • static int clamp(long value, int min, int max)

  • static long clamp(long value, long min, long max)

• In scope of JDK-8302323, the rare addition of the new methods to java.lang.StringBuilder class has happened:

  • StringBuilder repeat(int codePoint, int count)

  • StringBuilder repeat(CharSequence cs, int count)

• And similarly, still under JDK-8302323, to java.lang.StringBuffer class:

  • StringBuffer repeat(int codePoint, int count)

  • StringBuffer repeat(CharSequence cs, int count)

• The java.util.Locale was also refreshed with:

  • static Stream<Locale> availableLocales()

  • static String caseFoldLanguageTag(String languageTag)

• The JDK-8302590 and JDK-8305486 bring improvements to java.lang.String class:

  • int indexOf(int ch, int beginIndex, int endIndex)

  • int indexOf(String str, int beginIndex, int endIndex)

  • String[] splitWithDelimiters(String regex, int limit)

• The JDK-8305486 also touched the java.util.regex.Pattern class:

  • String[] splitWithDelimiters(CharSequence input, int limit)

• Probably the most love in JDK-21 was directed to emojis, with JDK-8303018 adding new emoji properties to java.lang.Character:

  • static boolean isEmoji(int codePoint)

  • static boolean isEmojiComponent(int codePoint)

  • static boolean isEmojiModifier(int codePoint)

  • static boolean isEmojiModifierBase(int codePoint)

  • static boolean isEmojiPresentation(int codePoint)

  • static boolean isExtendedPictographic(int codePoint)

• The java.util.regex.Pattern got some of the emoji share as well in scope of JDK-8305107: one can match characters that have emoji-related properties with the new \p{IsXXX} constructs, for example:

  Pattern.compile("\\p{IsEmoji}").matcher("🉐").matches() 
  

From the security perspective, JDK-21 is pretty packed with enhancements. Some of them we have highlighted above but a few more deserve special mentions (if you need a comprehensive look, please check out JDK 21 Security Enhancements article):

• JDK-8298127: HSS/LMS Signature Verification: implements support for Leighton-Micali Signatures (LMS) as described in RFC-8554. LMS is an approved software signing algorithm for CNSA 2.0, with SHA-256/192 parameters recommended.

• JDK-8288050: Add support of SHA-512/224 and SHA-512/256 to the PBKDF2 and PBES2 impls in SunJCE provider: the SunJCE provider is enhanced with additional PBES2 Cipher and Mac algorithms, such as those using SHA-512/224 and SHA-512/256 message digests.

• JDK-8301553: Support Password-Based Cryptography in SunPKCS11: supports an initial set of Password-Based Cryptography algorithms in the SunPKCS11 security provider.

• JDK-8305091: Change ChaCha20 cipher init behavior to match AES-GCM: allows ChaCha20 decrypt-mode Cipher objects to reuse the key and nonce, conforming to the same rules that AES-GCM does.

• JDK-8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts: delivers an enhanced syntax for properties related to certificate, CRL, and OCSP connect and read timeouts. The new system properties com.sun.security.ocsp.readtimeout, com.sun.security.cert.timeout and com.sun.security.cert.readtimeout have been introduced to control this behavior.

From all perspectives, JDK-21 looks like the release worth migrating to (it is supposed to be LTS), despite the fact there are unforeseen delays announced by some vendors.

I 🇺🇦 stand 🇺🇦 with 🇺🇦 Ukraine.