Quality Outreach Heads-up - JDK 20: Deprecate URL Public Constructors

The OpenJDK Quality Group is promoting the testing of FOSS projects with OpenJDK builds as a way to improve the overall quality of the release. This heads-up is part of a regular communication sent to the projects involved. To learn more about the program, and how-to join, please check here.

JDK 20 - Deprecate URL Public Constructors

The java.net.URL class, dating from Java SE 1.0, does not encode or decode any URL components according to the RFC2396 escaping mechanism. It is the responsibility of the caller to encode any fields, which need to be escaped prior to calling URL, and also to decode any escaped fields that are returned from URL. This has led to many usability issues, including some potential vulnerabilities when the calling code did not take this into consideration.

In Java SE 1.4, the java.net.URI class has been added to mitigate some of the java.net.URL shortcomings. It also offers methods to create an URL from an URI.

JDK 20 will deprecate all public constructors of java.net.URL. This will provide a strong warning and discourage developers from using them. To construct a URL, the URI::toURL alternative should instead be preferred. To construct a file: based URL, Path::toURI should be used prior to URI::toURL.

For more details, please check JDK-8294241.