JDK 20 Early-Access Release Notes

This is a draft of the release notes that will accompany JDK 20. The contents are subject to change until release.

Build 9

new Implementation Note for LoginModule on removing null from a principals or credentials set (JDK-8282730)

security-libs/javax.security

The Set implementation that holds principals and credentials in a JAAS Subject prohibits null elements and any attempt to add, query, or remove a null element will result in a NullPointerException. This is especially important when trying to remove principals or credentials from the subject at the logout phase but they are null because of a previous failed login. Various JDK LoginModule implementations have been fixed to avoid the exception. An Implementation Note has also been added to the logout() method of the LoginModule interface. Developers should verify and if necessary update any custom LoginModule implementations to be compliant with this implementation advice.