8338411: Implement JEP 486: Permanently Disable the Security Manager

Co-authored-by: Sean Mullan <mullan@openjdk.org>
Co-authored-by: Alan Bateman <alanb@openjdk.org>
Co-authored-by: Weijun Wang <weijun@openjdk.org>
Co-authored-by: Aleksei Efimov <aefimov@openjdk.org>
Co-authored-by: Brian Burkhalter <bpb@openjdk.org>
Co-authored-by: Daniel Fuchs <dfuchs@openjdk.org>
Co-authored-by: Harshitha Onkar <honkar@openjdk.org>
Co-authored-by: Joe Wang <joehw@openjdk.org>
Co-authored-by: Jorn Vernee <jvernee@openjdk.org>
Co-authored-by: Justin Lu <jlu@openjdk.org>
Co-authored-by: Kevin Walls <kevinw@openjdk.org>
Co-authored-by: Lance Andersen <lancea@openjdk.org>
Co-authored-by: Naoto Sato <naoto@openjdk.org>
Co-authored-by: Roger Riggs <rriggs@openjdk.org>
Co-authored-by: Brent Christian <bchristi@openjdk.org>
Co-authored-by: Stuart Marks <smarks@openjdk.org>
Co-authored-by: Ian Graves <igraves@openjdk.org>
Co-authored-by: Phil Race <prr@openjdk.org>
Co-authored-by: Erik Gahlin <egahlin@openjdk.org>
Co-authored-by: Jaikiran Pai <jpai@openjdk.org>
Reviewed-by: kevinw, aivanov, rriggs, lancea, coffeys, dfuchs, ihse, erikj, cjplummer, coleenp, naoto, mchung, prr, weijun, joehw, azvegint, psadhukhan, bchristi, sundar, attila

src/java.base/share/classes/java/io/SerializablePermission.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -36,55 +36,9 @@ import java.util.StringTokenizer;
  * no actions list; you either have the named permission
  * or you don't.
  *
- * <P>
- * The target name is the name of the Serializable permission (see below).
- *
- * <P>
- * The following table lists the standard {@code SerializablePermission} target names,
- * and for each provides a description of what the permission allows
- * and a discussion of the risks of granting code the permission.
- *
- * <table class="striped">
- * <caption style="display:none">Permission target name, what the permission allows, and associated risks</caption>
- * <thead>
- * <tr>
- * <th scope="col">Permission Target Name</th>
- * <th scope="col">What the Permission Allows</th>
- * <th scope="col">Risks of Allowing this Permission</th>
- * </tr>
- * </thead>
- * <tbody>
- *
- * <tr>
- *   <th scope="row">enableSubclassImplementation</th>
- *   <td>Subclass implementation of ObjectOutputStream or ObjectInputStream
- * to override the default serialization or deserialization, respectively,
- * of objects</td>
- *   <td>Code can use this to serialize or
- * deserialize classes in a purposefully malfeasant manner. For example,
- * during serialization, malicious code can use this to
- * purposefully store confidential private field data in a way easily accessible
- * to attackers. Or, during deserialization it could, for example, deserialize
- * a class with all its private fields zeroed out.</td>
- * </tr>
- *
- * <tr>
- *   <th scope="row">enableSubstitution</th>
- *   <td>Substitution of one object for another during
- * serialization or deserialization</td>
- *   <td>This is dangerous because malicious code
- * can replace the actual object with one which has incorrect or
- * malignant data.</td>
- * </tr>
- *
- * <tr>
- *   <th scope="row">serialFilter</th>
- *   <td>Setting a filter for ObjectInputStreams.</td>
- *   <td>Code could remove a configured filter and remove protections
- *       already established.</td>
- * </tr>
- * </tbody>
- * </table>
+ * @apiNote
+ * This permission cannot be used for controlling access to resources
+ * as the Security Manager is no longer supported.
  *
  * @see java.security.BasicPermission
  * @see java.security.Permission
@@ -92,7 +46,6 @@ import java.util.StringTokenizer;
  * @see java.security.PermissionCollection
  * @see java.lang.SecurityManager
  *
- *
  * @author Joe Fialli
  * @since 1.2
  */