apache · arturobernalg · Oct 11, 2025 · Oct 11, 2025
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -17,6 +17,19 @@ specific language governing permissions and limitations
 under the License.
 -->
 
+
+**2025-10-11 Juan Pablo Santos (abernal AT apache DOT org)**
+
+* _3.0.0-git-03_
+
+  * Security / API cleanup
+    * Remove the Security Manager–dependent Session#doPrivileged from jspwiki-api.
+    * Replace the only usage with Subject.doAsPrivileged in DefaultAuthorizationManager; behavior unchanged.
+    * Keep policy checks: global via AccessController, local via LocalPolicy. 
+    * Rationale: Security Manager is deprecated/disabled on modern JDKs; simplify 3.0 before release. 
+    * Migration: use Subject.doAs( session.getSubject(), action ) (or Subject.doAsPrivileged) in custom code.
+
+
 **2025-09-30  Juan Pablo Santos (juanpablo AT apache DOT org)**
 
 * _3.0.0-git-02_

diff --git a/jspwiki-api/src/main/java/org/apache/wiki/api/Release.java b/jspwiki-api/src/main/java/org/apache/wiki/api/Release.java
@@ -69,7 +69,7 @@ public final class Release {
      *  <p>
      *  If the build identifier is empty, it is not added.
      */
-    public static final String     BUILD         = "02";
+    public static final String     BUILD         = "03";
 
     /**
      *  This is the generic version string you should use when printing out the version.  It is of

diff --git a/jspwiki-api/src/main/java/org/apache/wiki/api/core/Session.java b/jspwiki-api/src/main/java/org/apache/wiki/api/core/Session.java
@@ -237,18 +237,4 @@ public interface Session extends WikiEventListener {
      */
     Subject getSubject();
 
-    /**
-     * Wrapper for {@link Subject#doAsPrivileged(Subject, PrivilegedAction, java.security.AccessControlContext)}
-     * that executes an action with the privileges possessed by a Session's Subject. The action executes with a <code>null</code>
-     * AccessControlContext, which has the effect of running it "cleanly" without the AccessControlContexts of the caller.
-     *
-     * @param session the wiki session
-     * @param action the privileged action
-     * @return the result of the privileged action; may be <code>null</code>
-     * @throws java.security.AccessControlException if the action is not permitted by the security policy
-     */
-    static Object doPrivileged( final Session session, final PrivilegedAction<?> action ) throws AccessControlException {
-        return Subject.doAsPrivileged( session.getSubject(), action, null );
-    }
-
 }
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultAuthorizationManager.java b/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultAuthorizationManager.java
@@ -47,6 +47,7 @@ Licensed to the Apache Software Foundation (ASF) under one
 import org.freshcookies.security.policy.LocalPolicy;
 
 import jakarta.servlet.http.HttpServletResponse;
+import javax.security.auth.Subject;
 import java.io.File;
 import java.io.IOException;
 import java.net.URL;
@@ -310,7 +311,7 @@ public boolean allowedByLocalPolicy( final Principal[] principals, final Permiss
     /** {@inheritDoc} */
     @Override
     public boolean checkStaticPermission( final Session session, final Permission permission ) {
-        return ( Boolean )Session.doPrivileged( session, ( PrivilegedAction< Boolean > )() -> {
+        return ( Boolean )Subject.doAsPrivileged( session.getSubject(), ( PrivilegedAction< Boolean > )() -> {
             try {
                 // Check the JVM-wide security policy first
                 AccessController.checkPermission( permission );
@@ -324,7 +325,7 @@ public boolean checkStaticPermission( final Session session, final Permission pe
                 return Boolean.TRUE;
             }
             return Boolean.FALSE;
-        } );
+        }, null );
     }
 
     /** {@inheritDoc} */