Remove references to SecurityManager as per #301

Signed-off-by: Arjan Tijms <arjan.tijms@omnifish.ee>

api/src/main/java/jakarta/security/enterprise/identitystore/IdentityStore.java

@@ -1,4 +1,5 @@
 /*
+ * Copyright (c) 2023 Contributors to Eclipse Foundation.
  * Copyright (c) 2015, 2020 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -22,14 +23,13 @@
 import static java.lang.invoke.MethodType.methodType;
 import static java.util.Collections.emptySet;
 
-import java.lang.invoke.MethodHandles;
-import java.util.EnumSet;
-import java.util.Set;
-
 import jakarta.security.auth.message.module.ServerAuthModule;
 import jakarta.security.enterprise.CallerPrincipal;
 import jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
 import jakarta.security.enterprise.credential.Credential;
+import java.lang.invoke.MethodHandles;
+import java.util.EnumSet;
+import java.util.Set;
 
 /**
  * <code>IdentityStore</code> is a mechanism for validating a caller's credentials
@@ -93,21 +93,10 @@ default CredentialValidationResult validate(Credential credential) {
     /**
      * Returns groups for the caller, who is identified by the {@link CallerPrincipal}
      * (and potentially other values) found in the {@code validationResult} parameter.
-     * <p>
-     * Callers (i.e., {@link IdentityStoreHandler}s) should have
-     * {@link IdentityStorePermission} permission to invoke this method.
-     * Implementations should check for this permission before doing any work:
-     * <blockquote><pre>{@code
-SecurityManager security = System.getSecurityManager();
-if (security != null) {
-    security.checkPermission(new IdentityStorePermission("getGroups");
-}
-     * }</pre></blockquote>
      *
      * @param validationResult The {@link CredentialValidationResult} returned
      * by a previous call to {@link #validate(Credential)}.
      * @return The {@link Set} of groups found for the caller, if any, or an empty {@link Set} otherwise.
-     * @throws SecurityException May be thrown if the calling code does not have {@link IdentityStorePermission}.
      */
     default Set<String> getCallerGroups(CredentialValidationResult validationResult) {
         return emptySet();

api/src/main/java/jakarta/security/enterprise/identitystore/IdentityStoreHandler.java

@@ -1,4 +1,5 @@
 /*
+ * Copyright (c) 2023 Contributors to Eclipse Foundation.
  * Copyright (c) 2015, 2020 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -33,8 +34,8 @@
  * Beans should inject only this handler, and not {@link IdentityStore}
  * directly, as multiple stores may exist.
  * <p>
- * Implementations of Jakarta Security must supply a default implementation of 
- * {@code IdentityStoreHandler} that behaves as described in the Jakarta Security 
+ * Implementations of Jakarta Security must supply a default implementation of
+ * {@code IdentityStoreHandler} that behaves as described in the Jakarta Security
  * specification document.
  * Applications do not need to supply an {@code IdentityStoreHandler}
  * unless application-specific behavior is desired.
@@ -48,13 +49,6 @@ public interface IdentityStoreHandler {
      * Implementations of this method will typically invoke the {@code validate()}
      * and {@code getCallerGroups()} methods of one or more {@link IdentityStore}s
      * and return an aggregated result.
-     * <p>
-     * Note that the {@link IdentityStore} may check for {@link IdentityStorePermission}
-     * if {@code getCallerGroups()} is called and a {@link SecurityManager} is configured.
-     * (The default built-in stores do perform this check; application-supplied stores
-     * may or may not.) An implementation of this method should therefore invoke
-     * {@code getCallerGroups()} in the context of a {@link java.security.PrivilegedAction},
-     * and arrange to be granted the appropriate {@link IdentityStorePermission} permission.
      *
      * @param credential The credential to validate.
      * @return The validation result.

spec/src/main/asciidoc/identityStore.adoc

@@ -143,17 +143,6 @@ As a result, it is never necessary to call _getCallerGroups()_ when there is onl
 
 Note that _getCallerGroups()_ is not intended as a general purpose API for retrieving user groups. It should be called only by an _IdentityStoreHandler_, in the course of orchestrating a _validate()_ call across multiple identity stores.
 
-Because _getCallerGroups()_ enables its callers to access an external store as a privileged user (i.e., as an LDAP or database user with permission to search the store and retrieve information about arbitrary user accounts), it should be protected against unauthorized access.
-
-Implementors of _getCallerGroups()_ are strongly encouraged to check that the calling context has _IdentityStorePermission_, as shown below, before proceeding. (The built-in identity stores are REQUIRED to do so, see <<Annotations and Built-In IdentityStore Beans>>.)
-
-[source,java]
-----
-SecurityManager securityManager = System.getSecurityManager();
-if (securityManager != null) {
-    securityManager.checkPermission(new IdentityStorePermission("getGroups"));
-}
-----
 
 ==== Declaring Capabilities
 
@@ -215,10 +204,6 @@ The _validate()_ method of the default implementation MUST do the following:
 ** Call the _getCallerGroups()_ method on all available _IdentityStore_ beans that declared _only_ the _PROVIDE_GROUPS_ validation type, in the order induced by the return value of the _getPriority()_ method of each _IdentityStore_, passing in the _CredentialValidationResult_ obtained during the previous phase. Add the groups returned by each call to the set of accumulated groups.
 * Return a new _CredentialValidationResult_ with status _VALID_; the _CallerPrincipal_, _CallerUniqueId_, _CallerDn_, and _IdentityStoreId_ that were returned from the successful _validate()_; and the accumulated collection of groups.
 
-The default _IdentityStoreHandler_ MUST make all calls to _getCallerGroups()_ in the context of a _PrivilegedAction_. Other implementations of _IdentityStoreHandler_ are strongly encouraged to do so as well.
-
-The necessary permission grants (i.e., for _IdentityStorePermission("getGroups")_) should be configured if running with a _SecurityManager_.
-
 See javadoc for additional information.
 
 ==== State
@@ -274,8 +259,6 @@ Each of these beans MUST have the qualifier @Default and the scope @ApplicationS
 
 The built-in identity stores MUST support validating _UsernamePasswordCredential_. They MAY support other credential types, but are NOT REQUIRED to.
 
-The built-in identity stores MUST check whether a _SecurityManager_ is configured, and, if so, check whether the calling context has _IdentityStorePermission_, as described in <<Retrieving Caller Information>> above, before proceeding.
-
 Note that implementations are explicitly NOT REQUIRED to provide an LDAP server or database. The requirement is only to provide _IdentityStore_ implementations that can work with an external LDAP or database server that may be present in the operating environment.
 
 The corresponding annotations are defined as shown in the following sections.

tck/old-tck/source/src/com/sun/ts/lib/util/sec/misc/Launcher.java

@@ -63,28 +63,6 @@ public Launcher() {
 
     // Also set the context class loader for the primordial thread.
     Thread.currentThread().setContextClassLoader(loader);
-
-    // Finally, install a security manager if requested
-    String s = System.getProperty("java.security.manager");
-    if (s != null) {
-      SecurityManager sm = null;
-      if ("".equals(s) || "default".equals(s)) {
-        sm = new java.lang.SecurityManager();
-      } else {
-        try {
-          sm = (SecurityManager) loader.loadClass(s).newInstance();
-        } catch (IllegalAccessException e) {
-        } catch (InstantiationException e) {
-        } catch (ClassNotFoundException e) {
-        } catch (ClassCastException e) {
-        }
-      }
-      if (sm != null) {
-        System.setSecurityManager(sm);
-      } else {
-        throw new InternalError("Could not create SecurityManager: " + s);
-      }
-    }
   }
 
   /*
@@ -172,16 +150,8 @@ public Object run() {
     /**
      * Override loadClass so we can checkPackageAccess.
      */
-    public synchronized Class loadClass(String name, boolean resolve)
-        throws ClassNotFoundException {
-      int i = name.lastIndexOf('.');
-      if (i != -1) {
-        SecurityManager sm = System.getSecurityManager();
-        if (sm != null) {
-          sm.checkPackageAccess(name.substring(0, i));
-        }
-      }
-      return (super.loadClass(name, resolve));
+    public synchronized Class loadClass(String name, boolean resolve) throws ClassNotFoundException {
+      return super.loadClass(name, resolve);
     }
 
     /**

tck/old-tck/source/src/com/sun/ts/lib/util/sec/misc/URLClassPath.java

@@ -418,32 +418,6 @@ public URL checkURL(URL url) {
    * failure. Called internally within this file.
    */
   static void check(URL url) throws IOException {
-    SecurityManager security = System.getSecurityManager();
-    if (security != null) {
-      URLConnection urlConnection = url.openConnection();
-      Permission perm = urlConnection.getPermission();
-      if (perm != null) {
-        try {
-          security.checkPermission(perm);
-        } catch (SecurityException se) {
-          // fallback to checkRead/checkConnect for pre 1.2
-          // security managers
-          if ((perm instanceof java.io.FilePermission)
-              && perm.getActions().indexOf("read") != -1) {
-            security.checkRead(perm.getName());
-          } else if ((perm instanceof java.net.SocketPermission)
-              && perm.getActions().indexOf("connect") != -1) {
-            URL locUrl = url;
-            if (urlConnection instanceof JarURLConnection) {
-              locUrl = ((JarURLConnection) urlConnection).getJarFileURL();
-            }
-            security.checkConnect(locUrl.getHost(), locUrl.getPort());
-          } else {
-            throw se;
-          }
-        }
-      }
-    }
   }
 
   /**

tck/old-tck/source/src/com/sun/ts/tests/securityapi/idstore/customhandler/Client.java

@@ -70,8 +70,8 @@ public void setup(String[] args, Properties p) throws Fault {
    *
    * @test_Strategy:
    * 
-   * Test applications can also supply their own implementation. And given
-   * IdentityStorePermission. Implement 1 IdentityStoreHandler, if all
+   * Test applications can also supply their own implementation. 
+   * Implement 1 IdentityStoreHandler, if all
    * validation is true, then all the groups in which PROVIDE_GROUP is
    * specified. Meanwhile, one extra groupo "customIdentiyStoreHandler" would be
    * added in the groupset. If any validation is false, return INVALID