Peter Firmstone

Featured Author

I'm a family man who lives in Australia, we own and operate a small engineering company.

Promoted Content

Step up your coding with the Continuous Feedback Udemy Course: Additional coupons are available

What do you know about the code changes that were just introduced into the codebase? When will you notice if something goes wrong?

Stable, Secure, and Affordable Java

Azul Platform Core is the #1 Oracle Java alternative, offering OpenJDK support for more versions (including Java 6 & 7) and more configurations for the greatest business value and lowest TCO.

Jakarta EE 11: Beyond the Era of Java EE

This user guide provides a brief history of Java EE/Jakarta EE and a detailed overview of some of the specifications that will be updated in Jakarta EE 11.

Likes 0

Comments 4

Shares 0

Articles 2

Views 16,0K

JEP 411: What it Means for Java’s Security Model and Why You Should Apply the Principle of Least Privilege

Java, like most platforms or languages has layers of security. This article intends to look at Java's Authorization layer, which is unlike in other languages. We will also distinguish between two different ways this layer is typically utilized and why one is effective while the other isn't. Furthermore, we investigate why JEP 411 only considers the least effective method and hopefully we will increase awareness of the Principle of Least Privilege as it is applied to Java Authorization, improve adoption and encourage people to take advantage of the improved security it provides. We hope to prolong its support and possibly even improve it in future.

Jun 03 8,9K

Peter Firmstone

JEPs

Security

The Principle of Least Privilege and How JEP 411 Will Have a Negative Impact on Java Security

The SecurityManager and associated infrastructure are the foundations upon which to build secure software, but by themselves are insufficient for limiting users and Java software to the principles of least privilege.

JEP 411 removes the SecurityManager and AccessController.

In doing so, your library code will be able to run with the full permissions of its Java process, which is the same as running with none of the permission checks that were used to harden Java’s API.

If an attacker breaks into your Java process via some other vulnerability, they will be able to load their own byte codes, and pretty much do whatever the process permissions permits them and possibly more if your system has other vulnerabilities.

May 22 7,1K

Peter Firmstone

Security

JEPs

Retweet on Twitter Foojay.io Retweeted

If you want to know what I spoke about in @jcon_conference in Germany, here's an interview I did at the @foojayio podcast:

#Java #JCON #JakartaEE #AI #A2A

02:06 PM · May 04, 2026

Retweet on Twitter Foojay.io Retweeted

Our team loves to meet and talk with the Java community from around the world. If you want to learn more. You can find all OmniFish presentations at: https://speakerdeck.com/omnifish, including links to the source code of related demos. Or get in touch for a free consultation call.

10:13 AM · April 30, 2026

Retweet on Twitter Foojay.io Retweeted

Another happy customer :)
"Their expertise and flexible hands-on troubleshooting support accelerated resolution of several unexpected hurdles and ultimately got us to a successful upgrade outcome."

If you would like to discuss how we could help your company, get in touch.

09:55 AM · April 21, 2026