diff --git a/src/java.base/share/classes/com/sun/security/ntlm/NTLM.java b/src/java.base/share/classes/com/sun/security/ntlm/NTLM.java
index 241756b69e2..7413abf5da4 100644
--- a/src/java.base/share/classes/com/sun/security/ntlm/NTLM.java
+++ b/src/java.base/share/classes/com/sun/security/ntlm/NTLM.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,8 +25,6 @@
 
 package com.sun.security.ntlm;
 
-import sun.security.action.GetBooleanAction;
-
 import static com.sun.security.ntlm.Version.*;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
@@ -57,8 +55,7 @@ class NTLM {
     private final MessageDigest md4;
     private final Mac hmac;
     private final MessageDigest md5;
-    private static final boolean DEBUG
-            = GetBooleanAction.privilegedGetProperty("ntlm.debug");
+    private static final boolean DEBUG = Boolean.getBoolean("ntlm.debug");
 
     final Version v;
 
diff --git a/src/java.base/share/classes/javax/security/auth/Subject.java b/src/java.base/share/classes/javax/security/auth/Subject.java
index 303abe49538..97ab672e1cc 100644
--- a/src/java.base/share/classes/javax/security/auth/Subject.java
+++ b/src/java.base/share/classes/javax/security/auth/Subject.java
@@ -237,12 +237,6 @@ public final class Subject implements java.io.Serializable {
      * it can not be reset to being writable again.
      */
     public void setReadOnly() {
-        @SuppressWarnings("removal")
-        java.lang.SecurityManager sm = System.getSecurityManager();
-        if (sm != null) {
-            sm.checkPermission(AuthPermissionHolder.SET_READ_ONLY_PERMISSION);
-        }
-
         this.readOnly = true;
     }
 
@@ -305,7 +299,6 @@ public final class Subject implements java.io.Serializable {
      * @see #callAs(Subject, Callable)
      * @since 18
      */
-    @SuppressWarnings("removal")
     public static Subject current() {
         return SCOPED_SUBJECT.orElse(null);
     }
@@ -375,16 +368,10 @@ public final class Subject implements java.io.Serializable {
      *
      * @see #callAs(Subject, Callable)
      */
-    @SuppressWarnings("removal")
     @Deprecated(since="18", forRemoval=true)
     public static <T> T doAs(final Subject subject,
                         final java.security.PrivilegedAction<T> action) {
 
-        java.lang.SecurityManager sm = System.getSecurityManager();
-        if (sm != null) {
-            sm.checkPermission(AuthPermissionHolder.DO_AS_PERMISSION);
-        }
-
         Objects.requireNonNull(action,
                 ResourcesMgr.getString("invalid.null.action.provided"));
 
@@ -441,17 +428,11 @@ public final class Subject implements java.io.Serializable {
      *
      * @see #callAs(Subject, Callable)
      */
-    @SuppressWarnings("removal")
     @Deprecated(since="18", forRemoval=true)
     public static <T> T doAs(final Subject subject,
                         final java.security.PrivilegedExceptionAction<T> action)
                         throws java.security.PrivilegedActionException {
 
-        java.lang.SecurityManager sm = System.getSecurityManager();
-        if (sm != null) {
-            sm.checkPermission(AuthPermissionHolder.DO_AS_PERMISSION);
-        }
-
         Objects.requireNonNull(action,
                 ResourcesMgr.getString("invalid.null.action.provided"));
 
@@ -514,11 +495,6 @@ public final class Subject implements java.io.Serializable {
                         final java.security.PrivilegedAction<T> action,
                         final java.security.AccessControlContext acc) {
 
-        java.lang.SecurityManager sm = System.getSecurityManager();
-        if (sm != null) {
-            sm.checkPermission(AuthPermissionHolder.DO_AS_PRIVILEGED_PERMISSION);
-        }
-
         Objects.requireNonNull(action,
                 ResourcesMgr.getString("invalid.null.action.provided"));
 
@@ -585,11 +561,6 @@ public final class Subject implements java.io.Serializable {
                         final java.security.AccessControlContext acc)
                         throws java.security.PrivilegedActionException {
 
-        java.lang.SecurityManager sm = System.getSecurityManager();
-        if (sm != null) {
-            sm.checkPermission(AuthPermissionHolder.DO_AS_PRIVILEGED_PERMISSION);
-        }
-
         Objects.requireNonNull(action,
                 ResourcesMgr.getString("invalid.null.action.provided"));
 
@@ -609,25 +580,6 @@ public final class Subject implements java.io.Serializable {
         }
     }
 
-    @SuppressWarnings("removal")
-    private static AccessControlContext createContext(final Subject subject,
-                                        final AccessControlContext acc) {
-
-
-        return java.security.AccessController.doPrivileged
-            (new java.security.PrivilegedAction<>() {
-            public AccessControlContext run() {
-                if (subject == null) {
-                    return new AccessControlContext(acc, null);
-                } else {
-                    return new AccessControlContext
-                                        (acc,
-                                        new SubjectDomainCombiner(subject));
-            }
-            }
-        });
-    }
-
     /**
      * Return the {@code Set} of Principals associated with this
      * {@code Subject}.  Each {@code Principal} represents
@@ -713,14 +665,6 @@ public final class Subject implements java.io.Serializable {
      */
     public Set<Object> getPrivateCredentials() {
 
-        // XXX
-        // we do not need a security check for
-        // AuthPermission(getPrivateCredentials)
-        // because we already restrict access to private credentials
-        // via the PrivateCredentialPermission.  all the extra AuthPermission
-        // would do is protect the set operations themselves
-        // (like size()), which don't seem security-sensitive.
-
         // always return an empty Set instead of null
         // so LoginModules can add to the Set if necessary
         return privCredentials;
@@ -782,14 +726,6 @@ public final class Subject implements java.io.Serializable {
      */
     public <T> Set<T> getPrivateCredentials(Class<T> c) {
 
-        // XXX
-        // we do not need a security check for
-        // AuthPermission(getPrivateCredentials)
-        // because we already restrict access to private credentials
-        // via the PrivateCredentialPermission.  all the extra AuthPermission
-        // would do is protect the set operations themselves
-        // (like size()), which don't seem security-sensitive.
-
         Objects.requireNonNull(c,
                 ResourcesMgr.getString("invalid.null.Class.provided"));
 
@@ -857,15 +793,6 @@ public final class Subject implements java.io.Serializable {
      */
     @Override
     public String toString() {
-        return toString(true);
-    }
-
-    /**
-     * package private convenience method to print out the Subject
-     * without firing off a security check when trying to access
-     * the Private Credentials
-     */
-    String toString(boolean includePrivateCredentials) {
 
         String s = ResourcesMgr.getString("Subject.");
         String suffix = "";
@@ -885,21 +812,19 @@ public final class Subject implements java.io.Serializable {
             }
         }
 
-        if (includePrivateCredentials) {
-            synchronized(privCredentials) {
-                Iterator<Object> pI = privCredentials.iterator();
-                while (pI.hasNext()) {
-                    try {
-                        Object o = pI.next();
-                        suffix += ResourcesMgr.getString
-                                        (".Private.Credential.") +
-                                        o.toString() +
-                                        ResourcesMgr.getString("NEWLINE");
-                    } catch (SecurityException se) {
-                        suffix += ResourcesMgr.getString
-                                (".Private.Credential.inaccessible.");
-                        break;
-                    }
+        synchronized(privCredentials) {
+            Iterator<Object> pI = privCredentials.iterator();
+            while (pI.hasNext()) {
+                try {
+                    Object o = pI.next();
+                    suffix += ResourcesMgr.getString
+                                    (".Private.Credential.") +
+                                    o.toString() +
+                                    ResourcesMgr.getString("NEWLINE");
+                } catch (SecurityException se) {
+                    suffix += ResourcesMgr.getString
+                            (".Private.Credential.inaccessible.");
+                    break;
                 }
             }
         }
@@ -1091,22 +1016,6 @@ public final class Subject implements java.io.Serializable {
                 }
 
                 public E next() {
-                    if (which != Subject.PRIV_CREDENTIAL_SET) {
-                        return i.next();
-                    }
-
-                    @SuppressWarnings("removal")
-                    SecurityManager sm = System.getSecurityManager();
-                    if (sm != null) {
-                        try {
-                            sm.checkPermission(new PrivateCredentialPermission
-                                (list.get(i.nextIndex()).getClass().getName(),
-                                subject.getPrincipals()));
-                        } catch (SecurityException se) {
-                            i.next();
-                            throw (se);
-                        }
-                    }
                     return i.next();
                 }
 
@@ -1117,21 +1026,6 @@ public final class Subject implements java.io.Serializable {
                                 ("Subject.is.read.only"));
                     }
 
-                    @SuppressWarnings("removal")
-                    java.lang.SecurityManager sm = System.getSecurityManager();
-                    if (sm != null) {
-                        switch (which) {
-                        case Subject.PRINCIPAL_SET:
-                            sm.checkPermission(AuthPermissionHolder.MODIFY_PRINCIPALS_PERMISSION);
-                            break;
-                        case Subject.PUB_CREDENTIAL_SET:
-                            sm.checkPermission(AuthPermissionHolder.MODIFY_PUBLIC_CREDENTIALS_PERMISSION);
-                            break;
-                        default:
-                            sm.checkPermission(AuthPermissionHolder.MODIFY_PRIVATE_CREDENTIALS_PERMISSION);
-                            break;
-                        }
-                    }
                     i.remove();
                 }
             };
@@ -1147,22 +1041,6 @@ public final class Subject implements java.io.Serializable {
                         (ResourcesMgr.getString("Subject.is.read.only"));
             }
 
-            @SuppressWarnings("removal")
-            java.lang.SecurityManager sm = System.getSecurityManager();
-            if (sm != null) {
-                switch (which) {
-                case Subject.PRINCIPAL_SET:
-                    sm.checkPermission(AuthPermissionHolder.MODIFY_PRINCIPALS_PERMISSION);
-                    break;
-                case Subject.PUB_CREDENTIAL_SET:
-                    sm.checkPermission(AuthPermissionHolder.MODIFY_PUBLIC_CREDENTIALS_PERMISSION);
-                    break;
-                default:
-                    sm.checkPermission(AuthPermissionHolder.MODIFY_PRIVATE_CREDENTIALS_PERMISSION);
-                    break;
-                }
-            }
-
             switch (which) {
             case Subject.PRINCIPAL_SET:
                 if (!(o instanceof Principal)) {
@@ -1180,10 +1058,9 @@ public final class Subject implements java.io.Serializable {
                 return elements.add(o);
             else {
                 return false;
-        }
+            }
         }
 
-        @SuppressWarnings("removal")
         public boolean remove(Object o) {
 
             Objects.requireNonNull(o,
@@ -1191,17 +1068,7 @@ public final class Subject implements java.io.Serializable {
 
             final Iterator<E> e = iterator();
             while (e.hasNext()) {
-                E next;
-                if (which != Subject.PRIV_CREDENTIAL_SET) {
-                    next = e.next();
-                } else {
-                    next = java.security.AccessController.doPrivileged
-                        (new java.security.PrivilegedAction<E>() {
-                        public E run() {
-                            return e.next();
-                        }
-                    });
-                }
+                E next = e.next();
 
                 if (next.equals(o)) {
                     e.remove();
@@ -1211,7 +1078,6 @@ public final class Subject implements java.io.Serializable {
             return false;
         }
 
-        @SuppressWarnings("removal")
         public boolean contains(Object o) {
 
             Objects.requireNonNull(o,
@@ -1219,30 +1085,7 @@ public final class Subject implements java.io.Serializable {
 
             final Iterator<E> e = iterator();
             while (e.hasNext()) {
-                E next;
-                if (which != Subject.PRIV_CREDENTIAL_SET) {
-                    next = e.next();
-                } else {
-
-                    // For private credentials:
-                    // If the caller does not have read permission
-                    // for o.getClass(), we throw a SecurityException.
-                    // Otherwise, we check the private cred set to see whether
-                    // it contains the Object
-
-                    SecurityManager sm = System.getSecurityManager();
-                    if (sm != null) {
-                        sm.checkPermission(new PrivateCredentialPermission
-                                                (o.getClass().getName(),
-                                                subject.getPrincipals()));
-                    }
-                    next = java.security.AccessController.doPrivileged
-                        (new java.security.PrivilegedAction<E>() {
-                        public E run() {
-                            return e.next();
-                        }
-                    });
-                }
+                E next = e.next();
 
                 if (next.equals(o)) {
                     return true;
@@ -1263,24 +1106,13 @@ public final class Subject implements java.io.Serializable {
             return result;
         }
 
-        @SuppressWarnings("removal")
         public boolean removeAll(Collection<?> c) {
             c = collectionNullClean(c);
 
             boolean modified = false;
             final Iterator<E> e = iterator();
             while (e.hasNext()) {
-                E next;
-                if (which != Subject.PRIV_CREDENTIAL_SET) {
-                    next = e.next();
-                } else {
-                    next = java.security.AccessController.doPrivileged
-                        (new java.security.PrivilegedAction<E>() {
-                        public E run() {
-                            return e.next();
-                        }
-                    });
-                }
+                E next = e.next();
 
                 for (Object o : c) {
                     if (next.equals(o)) {
@@ -1305,24 +1137,13 @@ public final class Subject implements java.io.Serializable {
             return true;
         }
 
-        @SuppressWarnings("removal")
         public boolean retainAll(Collection<?> c) {
             c = collectionNullClean(c);
 
             boolean modified = false;
             final Iterator<E> e = iterator();
             while (e.hasNext()) {
-                E next;
-                if (which != Subject.PRIV_CREDENTIAL_SET) {
-                    next = e.next();
-                } else {
-                    next = java.security.AccessController.doPrivileged
-                        (new java.security.PrivilegedAction<E>() {
-                        public E run() {
-                            return e.next();
-                        }
-                    });
-                }
+                E next = e.next();
 
                 if (c.contains(next) == false) {
                     e.remove();
@@ -1333,21 +1154,10 @@ public final class Subject implements java.io.Serializable {
             return modified;
         }
 
-        @SuppressWarnings("removal")
         public void clear() {
             final Iterator<E> e = iterator();
             while (e.hasNext()) {
-                E next;
-                if (which != Subject.PRIV_CREDENTIAL_SET) {
-                    next = e.next();
-                } else {
-                    next = java.security.AccessController.doPrivileged
-                        (new java.security.PrivilegedAction<E>() {
-                        public E run() {
-                            return e.next();
-                        }
-                    });
-                }
+                E next = e.next();
                 e.remove();
             }
         }
@@ -1357,30 +1167,10 @@ public final class Subject implements java.io.Serializable {
         }
 
         public Object[] toArray() {
-            final Iterator<E> e = iterator();
-            while (e.hasNext()) {
-                // The next() method performs a security manager check
-                // on each element in the SecureSet.  If we make it all
-                // the way through we should be able to simply return
-                // element's toArray results.  Otherwise, we'll let
-                // the SecurityException pass up the call stack.
-                e.next();
-            }
-
             return elements.toArray();
         }
 
         public <T> T[] toArray(T[] a) {
-            final Iterator<E> e = iterator();
-            while (e.hasNext()) {
-                // The next() method performs a security manager check
-                // on each element in the SecureSet.  If we make it all
-                // the way through we should be able to simply return
-                // element's toArray results.  Otherwise, we'll let
-                // the SecurityException pass up the call stack.
-                e.next();
-            }
-
             return elements.toArray(a);
         }
 
@@ -1425,13 +1215,6 @@ public final class Subject implements java.io.Serializable {
         private void writeObject(java.io.ObjectOutputStream oos)
                 throws java.io.IOException {
 
-            if (which == Subject.PRIV_CREDENTIAL_SET) {
-                // check permissions before serializing
-                Iterator<E> i = iterator();
-                while (i.hasNext()) {
-                    i.next();
-                }
-            }
             ObjectOutputStream.PutField fields = oos.putFields();
             fields.put("this$0", subject);
             fields.put("elements", elements);
@@ -1490,7 +1273,7 @@ public final class Subject implements java.io.Serializable {
             }
         }
 
-        @SuppressWarnings({"removal","unchecked"})     /*To suppress warning from line 1374*/
+        @SuppressWarnings("unchecked")
         private void populateSet() {
             final Iterator<?> iterator;
             switch(which) {
@@ -1505,34 +1288,10 @@ public final class Subject implements java.io.Serializable {
                 break;
             }
 
-            // Check whether the caller has permission to get
-            // credentials of Class c
-
             while (iterator.hasNext()) {
-                Object next;
-                if (which == Subject.PRIV_CREDENTIAL_SET) {
-                    next = java.security.AccessController.doPrivileged
-                        (new java.security.PrivilegedAction<>() {
-                        public Object run() {
-                            return iterator.next();
-                        }
-                    });
-                } else {
-                    next = iterator.next();
-                }
+                Object next = iterator.next();
                 if (c.isAssignableFrom(next.getClass())) {
-                    if (which != Subject.PRIV_CREDENTIAL_SET) {
-                        set.add((T)next);
-                    } else {
-                        // Check permission for private creds
-                        SecurityManager sm = System.getSecurityManager();
-                        if (sm != null) {
-                            sm.checkPermission(new PrivateCredentialPermission
-                                                (next.getClass().getName(),
-                                                Subject.this.getPrincipals()));
-                        }
-                        set.add((T)next);
-                    }
+                    set.add((T)next);
                 }
             }
         }
@@ -1560,27 +1319,4 @@ public final class Subject implements java.io.Serializable {
             return set.add(o);
         }
     }
-
-    static final class AuthPermissionHolder {
-        static final AuthPermission DO_AS_PERMISSION =
-            new AuthPermission("doAs");
-
-        static final AuthPermission DO_AS_PRIVILEGED_PERMISSION =
-            new AuthPermission("doAsPrivileged");
-
-        static final AuthPermission SET_READ_ONLY_PERMISSION =
-            new AuthPermission("setReadOnly");
-
-        static final AuthPermission GET_SUBJECT_PERMISSION =
-            new AuthPermission("getSubject");
-
-        static final AuthPermission MODIFY_PRINCIPALS_PERMISSION =
-            new AuthPermission("modifyPrincipals");
-
-        static final AuthPermission MODIFY_PUBLIC_CREDENTIALS_PERMISSION =
-            new AuthPermission("modifyPublicCredentials");
-
-        static final AuthPermission MODIFY_PRIVATE_CREDENTIALS_PERMISSION =
-            new AuthPermission("modifyPrivateCredentials");
-    }
 }
diff --git a/src/java.base/share/classes/javax/security/auth/SubjectDomainCombiner.java b/src/java.base/share/classes/javax/security/auth/SubjectDomainCombiner.java
index 222976051c8..bab2c5b9da9 100644
--- a/src/java.base/share/classes/javax/security/auth/SubjectDomainCombiner.java
+++ b/src/java.base/share/classes/javax/security/auth/SubjectDomainCombiner.java
@@ -25,9 +25,7 @@
 
 package javax.security.auth;
 
-import java.security.AccessController;
 import java.security.Principal;
-import java.security.PrivilegedAction;
 import java.security.ProtectionDomain;
 import java.util.Set;
 import java.util.WeakHashMap;
@@ -84,11 +82,6 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner {
      *          {@code SubjectDomainCombiner}.
      */
     public Subject getSubject() {
-        java.lang.SecurityManager sm = System.getSecurityManager();
-        if (sm != null) {
-            sm.checkPermission(new AuthPermission
-                ("getSubjectFromDomainCombiner"));
-        }
         return subject;
     }
 
@@ -144,14 +137,7 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner {
             if (subject == null) {
                 debug.println("null subject");
             } else {
-                final Subject s = subject;
-                AccessController.doPrivileged
-                    (new java.security.PrivilegedAction<Void>() {
-                    public Void run() {
-                        debug.println(s.toString());
-                        return null;
-                    }
-                });
+                debug.println(subject.toString());
             }
             printInputDomains(currentDomains, assignedDomains);
         }
@@ -349,11 +335,7 @@ public class SubjectDomainCombiner implements java.security.DomainCombiner {
         if (pd == null) {
             return "null";
         }
-        return AccessController.doPrivileged(new PrivilegedAction<String>() {
-            public String run() {
-                return pd.toString();
-            }
-        });
+        return pd.toString();
     }
 
     /**
diff --git a/src/java.base/share/classes/javax/security/auth/login/Configuration.java b/src/java.base/share/classes/javax/security/auth/login/Configuration.java
index b46a671e6d3..bebf5f6901a 100644
--- a/src/java.base/share/classes/javax/security/auth/login/Configuration.java
+++ b/src/java.base/share/classes/javax/security/auth/login/Configuration.java
@@ -25,12 +25,6 @@
 
 package javax.security.auth.login;
 
-import javax.security.auth.AuthPermission;
-
-import java.security.AccessController;
-import java.security.PrivilegedAction;
-import java.security.PrivilegedExceptionAction;
-import java.security.PrivilegedActionException;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
 import java.security.Provider;
@@ -190,19 +184,6 @@ public abstract class Configuration {
 
     private static Configuration configuration;
 
-    @SuppressWarnings("removal")
-    private final java.security.AccessControlContext acc =
-            java.security.AccessController.getContext();
-
-    private static void checkPermission(String type) {
-        @SuppressWarnings("removal")
-        SecurityManager sm = System.getSecurityManager();
-        if (sm != null) {
-            sm.checkPermission(new AuthPermission
-                                ("createLoginConfiguration." + type));
-        }
-    }
-
     /**
      * Sole constructor.  (For invocation by subclass constructors, typically
      * implicit.)
@@ -219,64 +200,29 @@ public abstract class Configuration {
      *
      * @see #setConfiguration
      */
-    @SuppressWarnings("removal")
     public static Configuration getConfiguration() {
 
-        SecurityManager sm = System.getSecurityManager();
-        if (sm != null)
-            sm.checkPermission(new AuthPermission("getLoginConfiguration"));
-
         synchronized (Configuration.class) {
             if (configuration == null) {
-                String config_class = null;
-                config_class = AccessController.doPrivileged
-                    (new PrivilegedAction<>() {
-                    public String run() {
-                        return java.security.Security.getProperty
-                                    ("login.configuration.provider");
-                    }
-                });
+                String config_class = Security.getProperty
+                            ("login.configuration.provider");
                 if (config_class == null) {
                     config_class = "sun.security.provider.ConfigFile";
                 }
 
                 try {
-                    final String finalClass = config_class;
-                    Configuration untrustedImpl = AccessController.doPrivileged(
-                            new PrivilegedExceptionAction<>() {
-                                public Configuration run() throws ClassNotFoundException,
-                                        InstantiationException,
-                                        IllegalAccessException {
-                                    Class<? extends Configuration> implClass = Class.forName(
-                                            finalClass, false,
-                                            Thread.currentThread().getContextClassLoader()
-                                    ).asSubclass(Configuration.class);
-                                    @SuppressWarnings("deprecation")
-                                    Configuration result = implClass.newInstance();
-                                    return result;
-                                }
-                            });
-                    AccessController.doPrivileged(
-                            new PrivilegedExceptionAction<>() {
-                                public Void run() {
-                                    setConfiguration(untrustedImpl);
-                                    return null;
-                                }
-                            }, Objects.requireNonNull(untrustedImpl.acc)
-                    );
-                } catch (PrivilegedActionException e) {
-                    Exception ee = e.getException();
-                    if (ee instanceof InstantiationException) {
-                        throw new SecurityException
-                                    ("Configuration error:" +
-                                     ee.getCause().getMessage() +
-                                     "\n", ee.getCause());
-                    } else {
-                        throw new SecurityException
-                                    ("Configuration error: " +
-                                     ee.toString() +
-                                     "\n", ee);
-                    }
+                    Class<? extends Configuration> implClass = Class.forName(
+                            config_class, false,
+                            Thread.currentThread().getContextClassLoader()
+                    ).asSubclass(Configuration.class);
+                    @SuppressWarnings("deprecation")
+                    Configuration result = implClass.newInstance();
+                    setConfiguration(result);
+                } catch (ReflectiveOperationException e) {
+                    throw new SecurityException
+                                ("Configuration error: " +
+                                 e.toString() +
+                                 "\n", e);
                 }
             }
             return configuration;
@@ -291,10 +237,6 @@ public abstract class Configuration {
      * @see #getConfiguration
      */
     public static void setConfiguration(Configuration configuration) {
-        @SuppressWarnings("removal")
-        SecurityManager sm = System.getSecurityManager();
-        if (sm != null)
-            sm.checkPermission(new AuthPermission("setLoginConfiguration"));
         Configuration.configuration = configuration;
     }
 
@@ -346,7 +288,6 @@ public abstract class Configuration {
                 throws NoSuchAlgorithmException {
 
         Objects.requireNonNull(type, "null type name");
-        checkPermission(type);
         try {
             GetInstance.Instance instance = GetInstance.getInstance
                                                         ("Configuration",
@@ -412,7 +353,6 @@ public abstract class Configuration {
             throw new IllegalArgumentException("missing provider");
         }
 
-        checkPermission(type);
         try {
             GetInstance.Instance instance = GetInstance.getInstance
                                                         ("Configuration",
@@ -473,7 +413,6 @@ public abstract class Configuration {
             throw new IllegalArgumentException("missing provider");
         }
 
-        checkPermission(type);
         try {
             GetInstance.Instance instance = GetInstance.getInstance
                                                         ("Configuration",
diff --git a/src/java.base/share/classes/javax/security/auth/login/LoginContext.java b/src/java.base/share/classes/javax/security/auth/login/LoginContext.java
index 5878da078f6..988379a3c40 100644
--- a/src/java.base/share/classes/javax/security/auth/login/LoginContext.java
+++ b/src/java.base/share/classes/javax/security/auth/login/LoginContext.java
@@ -25,16 +25,13 @@
 
 package javax.security.auth.login;
 
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.Map;
 import java.util.HashMap;
+import java.security.Security;
 import java.text.MessageFormat;
 import javax.security.auth.Subject;
-import javax.security.auth.AuthPermission;
 import javax.security.auth.callback.*;
 import javax.security.auth.spi.LoginModule;
-import java.security.AccessControlContext;
 import java.util.ServiceLoader;
 
 import sun.security.util.PendingException;
@@ -182,8 +179,6 @@ public class LoginContext {
     private final Map<String,?> state = new HashMap<>();
 
     private Configuration config;
-    @SuppressWarnings("removal")
-    private AccessControlContext creatorAcc = null;  // customized config only
     private ModuleInfo[] moduleStack;
     private ClassLoader contextClassLoader = null;
 
@@ -200,38 +195,21 @@ public class LoginContext {
     private static final WeakHashMap<ClassLoader, Set<Provider<LoginModule>>> providersCache =
         new WeakHashMap<>();
 
-    @SuppressWarnings("removal")
     private void init(String name) throws LoginException {
 
-        SecurityManager sm = System.getSecurityManager();
-        if (sm != null && creatorAcc == null) {
-            sm.checkPermission(new AuthPermission
-                                ("createLoginContext." + name));
-        }
-
         if (name == null)
             throw new LoginException
                 (ResourcesMgr.getString("Invalid.null.input.name"));
 
         // get the Configuration
         if (config == null) {
-            config = java.security.AccessController.doPrivileged
-                (new java.security.PrivilegedAction<Configuration>() {
-                public Configuration run() {
-                    return Configuration.getConfiguration();
-                }
-            });
+            config = Configuration.getConfiguration();
         }
 
         // get the LoginModules configured for this application
         AppConfigurationEntry[] entries = config.getAppConfigurationEntry(name);
         if (entries == null) {
 
-            if (sm != null && creatorAcc == null) {
-                sm.checkPermission(new AuthPermission
-                                ("createLoginContext." + OTHER));
-            }
-
             entries = config.getAppConfigurationEntry(OTHER);
             if (entries == null) {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
@@ -251,55 +229,30 @@ public class LoginContext {
                                 null);
         }
 
-        contextClassLoader = java.security.AccessController.doPrivileged
-                (new java.security.PrivilegedAction<ClassLoader>() {
-                public ClassLoader run() {
-                    ClassLoader loader =
-                            Thread.currentThread().getContextClassLoader();
-                    if (loader == null) {
-                        // Don't use bootstrap class loader directly to ensure
-                        // proper package access control!
-                        loader = ClassLoader.getSystemClassLoader();
-                    }
-
-                    return loader;
-                }
-        });
+        ClassLoader loader = Thread.currentThread().getContextClassLoader();
+        if (loader == null) {
+            loader = ClassLoader.getSystemClassLoader();
+        }
+        contextClassLoader = loader;
 
     }
 
-    @SuppressWarnings("removal")
+    @SuppressWarnings("deprecation")
     private void loadDefaultCallbackHandler() throws LoginException {
 
         // get the default handler class
         try {
-
-            final ClassLoader finalLoader = contextClassLoader;
-
-            this.callbackHandler = java.security.AccessController.doPrivileged(
-                new java.security.PrivilegedExceptionAction<CallbackHandler>() {
-                public CallbackHandler run() throws Exception {
-                    String defaultHandler = java.security.Security.getProperty
-                        (DEFAULT_HANDLER);
-                    if (defaultHandler == null || defaultHandler.isEmpty())
-                        return null;
-                    Class<? extends CallbackHandler> c = Class.forName(
-                            defaultHandler, true,
-                            finalLoader).asSubclass(CallbackHandler.class);
-                    @SuppressWarnings("deprecation")
-                    CallbackHandler result = c.newInstance();
-                    return result;
-                }
-            });
-        } catch (java.security.PrivilegedActionException pae) {
-            throw new LoginException(pae.getException().toString());
-        }
-
-        // secure it with the caller's ACC
-        if (this.callbackHandler != null && creatorAcc == null) {
-            this.callbackHandler = new SecureCallbackHandler
-                                (java.security.AccessController.getContext(),
-                                this.callbackHandler);
+            String defaultHandler = Security.getProperty(DEFAULT_HANDLER);
+            if (defaultHandler == null || defaultHandler.isEmpty()) {
+                this.callbackHandler = null;
+            } else {
+                Class<? extends CallbackHandler> c = Class.forName(
+                        defaultHandler, true,
+                        contextClassLoader).asSubclass(CallbackHandler.class);
+                this.callbackHandler = (CallbackHandler) c.newInstance();
+            }
+        } catch (ReflectiveOperationException e) {
+            throw new LoginException(e.toString());
         }
     }
 
@@ -367,16 +320,13 @@ public class LoginContext {
      *          for "{@code other}", or if the caller-specified
      *          {@code callbackHandler} is {@code null}.
      */
-    @SuppressWarnings("removal")
     public LoginContext(String name, CallbackHandler callbackHandler)
     throws LoginException {
         init(name);
         if (callbackHandler == null)
             throw new LoginException(ResourcesMgr.getString
                                 ("invalid.null.CallbackHandler.provided"));
-        this.callbackHandler = new SecureCallbackHandler
-                                (java.security.AccessController.getContext(),
-                                callbackHandler);
+        this.callbackHandler = callbackHandler;
     }
 
     /**
@@ -400,16 +350,13 @@ public class LoginContext {
      *          or if the caller-specified
      *          {@code callbackHandler} is {@code null}.
      */
-    @SuppressWarnings("removal")
     public LoginContext(String name, Subject subject,
                         CallbackHandler callbackHandler) throws LoginException {
         this(name, subject);
         if (callbackHandler == null)
             throw new LoginException(ResourcesMgr.getString
                                 ("invalid.null.CallbackHandler.provided"));
-        this.callbackHandler = new SecureCallbackHandler
-                                (java.security.AccessController.getContext(),
-                                callbackHandler);
+        this.callbackHandler = callbackHandler;
     }
 
     /**
@@ -437,14 +384,10 @@ public class LoginContext {
      *
      * @since 1.5
      */
-    @SuppressWarnings("removal")
     public LoginContext(String name, Subject subject,
                         CallbackHandler callbackHandler,
                         Configuration config) throws LoginException {
         this.config = config;
-        if (config != null) {
-            creatorAcc = java.security.AccessController.getContext();
-        }
 
         init(name);
         if (subject != null) {
@@ -453,10 +396,6 @@ public class LoginContext {
         }
         if (callbackHandler == null) {
             loadDefaultCallbackHandler();
-        } else if (creatorAcc == null) {
-            this.callbackHandler = new SecureCallbackHandler
-                                (java.security.AccessController.getContext(),
-                                callbackHandler);
         } else {
             this.callbackHandler = callbackHandler;
         }
@@ -518,13 +457,12 @@ public class LoginContext {
         }
 
         try {
-            // module invoked in doPrivileged
-            invokePriv(LOGIN_METHOD);
-            invokePriv(COMMIT_METHOD);
+            invoke(LOGIN_METHOD);
+            invoke(COMMIT_METHOD);
             loginSucceeded = true;
         } catch (LoginException le) {
             try {
-                invokePriv(ABORT_METHOD);
+                invoke(ABORT_METHOD);
             } catch (LoginException le2) {
                 throw le;
             }
@@ -557,8 +495,7 @@ public class LoginContext {
                 ("null.subject.logout.called.before.login"));
         }
 
-        // module invoked in doPrivileged
-        invokePriv(LOGOUT_METHOD);
+        invoke(LOGOUT_METHOD);
     }
 
     /**
@@ -597,28 +534,8 @@ public class LoginContext {
     }
 
     /**
-     * Invokes the login, commit, and logout methods
-     * from a LoginModule inside a doPrivileged block restricted
-     * by creatorAcc (may be null).
-     *
-     * This version is called if the caller did not instantiate
-     * the LoginContext with a Configuration object.
+     * Invokes the login, commit, and logout methods from a LoginModule.
      */
-    @SuppressWarnings("removal")
-    private void invokePriv(final String methodName) throws LoginException {
-        try {
-            java.security.AccessController.doPrivileged
-                (new java.security.PrivilegedExceptionAction<Void>() {
-                public Void run() throws LoginException {
-                    invoke(methodName);
-                    return null;
-                }
-            }, creatorAcc);
-        } catch (java.security.PrivilegedActionException pae) {
-            throw (LoginException)pae.getException();
-        }
-    }
-
     private void invoke(String methodName) throws LoginException {
 
         // start at moduleIndex
@@ -639,11 +556,8 @@ public class LoginContext {
                             if (debug != null){
                                 debug.println("Build ServiceProviders cache for ClassLoader: " + contextClassLoader.getName());
                             }
-                            @SuppressWarnings("removal")
-                            ServiceLoader<LoginModule> sc = AccessController.doPrivileged(
-                                    (PrivilegedAction<ServiceLoader<LoginModule>>)
-                                            () -> java.util.ServiceLoader.load(
-                                                LoginModule.class, contextClassLoader));
+                            ServiceLoader<LoginModule> sc = ServiceLoader.load(
+                                    LoginModule.class, contextClassLoader);
                             lmProviders = sc.stream().collect(Collectors.toSet());
                                 if (debug != null){
                                     debug.println("Discovered ServiceProviders for ClassLoader: " + contextClassLoader.getName());
@@ -841,45 +755,6 @@ public class LoginContext {
         }
     }
 
-    /**
-     * Wrap the caller-specified CallbackHandler in our own
-     * and invoke it within a privileged block, constrained by
-     * the caller's AccessControlContext.
-     */
-    private static class SecureCallbackHandler implements CallbackHandler {
-
-        @SuppressWarnings("removal")
-        private final java.security.AccessControlContext acc;
-        private final CallbackHandler ch;
-
-        SecureCallbackHandler(@SuppressWarnings("removal") java.security.AccessControlContext acc,
-                        CallbackHandler ch) {
-            this.acc = acc;
-            this.ch = ch;
-        }
-
-        @SuppressWarnings("removal")
-        public void handle(final Callback[] callbacks)
-                throws java.io.IOException, UnsupportedCallbackException {
-            try {
-                java.security.AccessController.doPrivileged
-                    (new java.security.PrivilegedExceptionAction<Void>() {
-                    public Void run() throws java.io.IOException,
-                                        UnsupportedCallbackException {
-                        ch.handle(callbacks);
-                        return null;
-                    }
-                }, acc);
-            } catch (java.security.PrivilegedActionException pae) {
-                if (pae.getException() instanceof java.io.IOException) {
-                    throw (java.io.IOException)pae.getException();
-                } else {
-                    throw (UnsupportedCallbackException)pae.getException();
-                }
-            }
-        }
-    }
-
     /**
      * LoginModule information -
      *          encapsulates Configuration info and actual module instances
diff --git a/src/java.base/share/classes/javax/security/cert/X509Certificate.java b/src/java.base/share/classes/javax/security/cert/X509Certificate.java
index f93c811cf29..38ab1976987 100644
--- a/src/java.base/share/classes/javax/security/cert/X509Certificate.java
+++ b/src/java.base/share/classes/javax/security/cert/X509Certificate.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,9 +30,7 @@ import java.io.InputStream;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
 import java.math.BigInteger;
-import java.security.AccessController;
 import java.security.Principal;
-import java.security.PrivilegedAction;
 import java.security.Security;
 import java.util.Date;
 
@@ -140,17 +138,7 @@ public abstract class X509Certificate extends Certificate {
      * </pre>
      */
     private static final String X509_PROVIDER = "cert.provider.x509v1";
-    private static String X509Provider;
-
-    static {
-        X509Provider = AccessController.doPrivileged(
-            new PrivilegedAction<>() {
-                public String run() {
-                    return Security.getProperty(X509_PROVIDER);
-                }
-            }
-        );
-    }
+    private static String X509Provider = Security.getProperty(X509_PROVIDER);
 
     /**
      * Instantiates an X509Certificate object, and initializes it with
diff --git a/test/jdk/javax/security/auth/login/Configuration/GetInstanceConfigSpi.java b/test/jdk/javax/security/auth/login/Configuration/GetInstanceConfigSpi.java
index f8b73c6ce36..8127292ee3b 100644
--- a/test/jdk/javax/security/auth/login/Configuration/GetInstanceConfigSpi.java
+++ b/test/jdk/javax/security/auth/login/Configuration/GetInstanceConfigSpi.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,7 +21,7 @@
  * questions.
  */
 
-import java.security.*;
+import java.security.URIParameter;
 import javax.security.auth.login.*;
 import com.sun.security.auth.login.*;
 
@@ -31,16 +31,11 @@ public class GetInstanceConfigSpi extends ConfigurationSpi {
 
     public GetInstanceConfigSpi(final Configuration.Parameters params) {
 
-        c = AccessController.doPrivileged
-            (new PrivilegedAction<Configuration>() {
-            public Configuration run() {
-                if (params instanceof URIParameter) {
-                    URIParameter uriParam = (URIParameter)params;
-                    return new ConfigFile(uriParam.getURI());
-                }
-                return new ConfigFile();
-            }
-        });
+        if (params instanceof URIParameter uriParam) {
+            c = new ConfigFile(uriParam.getURI());
+        } else {
+            c = new ConfigFile();
+        }
     }
 
     public AppConfigurationEntry[] engineGetAppConfigurationEntry(String name) {
diff --git a/test/jdk/javax/security/auth/login/Configuration/GetInstanceProvider.java b/test/jdk/javax/security/auth/login/Configuration/GetInstanceProvider.java
index 01f0a1fd572..ac6e4693fc2 100644
--- a/test/jdk/javax/security/auth/login/Configuration/GetInstanceProvider.java
+++ b/test/jdk/javax/security/auth/login/Configuration/GetInstanceProvider.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,7 +21,7 @@
  * questions.
  */
 
-import java.security.*;
+import java.security.Provider;
 
 public class GetInstanceProvider extends Provider {
 
@@ -30,12 +30,6 @@ public class GetInstanceProvider extends Provider {
                 "1",
                 "GetInstanceProvider: Configuration.GetInstanceConfigSpi");
 
-        AccessController.doPrivileged(new PrivilegedAction() {
-            public Object run() {
-                put("Configuration.GetInstanceConfigSpi",
-                        "GetInstanceConfigSpi");
-                return null;
-            }
-        });
+        put("Configuration.GetInstanceConfigSpi", "GetInstanceConfigSpi");
     }
 }
diff --git a/test/jdk/javax/security/auth/login/LoginContext/ConfigConstructor.java b/test/jdk/javax/security/auth/login/LoginContext/ConfigConstructor.java
index 7907ad12bbe..d6ab1d5d857 100644
--- a/test/jdk/javax/security/auth/login/LoginContext/ConfigConstructor.java
+++ b/test/jdk/javax/security/auth/login/LoginContext/ConfigConstructor.java
@@ -31,12 +31,6 @@
  *
  */
 
-/**
- * This test shares the login config with ConfigConstructorNoPerm.
- * This test has all necessary permissions configured in the policy
- * (ConfigConstructorNoPerm has no perms and checks for SecurityExceptions).
- */
-
 import java.util.Map;
 import javax.security.auth.Subject;
 import javax.security.auth.login.AppConfigurationEntry;
@@ -209,8 +203,7 @@ public class ConfigConstructor {
         public void initialize(Subject s, CallbackHandler ch,
                 Map<String,?> state, Map<String,?> options) {
             if (s != ConfigConstructor.s ||
-                ch == null ||
-                ch == ConfigConstructor.ch) {
+                ch == null) {
                 throw new SecurityException("Module 3 failed");
             }
         }
diff --git a/test/jdk/javax/security/auth/login/LoginContext/LCTest.java b/test/jdk/javax/security/auth/login/LoginContext/LCTest.java
index e5eeb6c1d7f..b9c8735499f 100644
--- a/test/jdk/javax/security/auth/login/LoginContext/LCTest.java
+++ b/test/jdk/javax/security/auth/login/LoginContext/LCTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -287,15 +287,9 @@ public class LCTest {
                 return false;
             }
             userPrincipal = new UnixPrincipal(username);
-            final Subject s = subject;
-            final UnixPrincipal up = userPrincipal;
-            java.security.AccessController.doPrivileged
-                    ((java.security.PrivilegedAction) () -> {
-                        if (!s.getPrincipals().contains(up)) {
-                            s.getPrincipals().add(up);
-                        }
-                        return null;
-                    });
+            if (!subject.getPrincipals().contains(userPrincipal)) {
+                subject.getPrincipals().add(userPrincipal);
+            }
             password = null;
             commitSucceeded = true;
             return true;
@@ -320,13 +314,7 @@ public class LCTest {
 
         private void clearState() {
             if (commitSucceeded) {
-                final Subject s = subject;
-                final UnixPrincipal up = userPrincipal;
-                java.security.AccessController.doPrivileged
-                        ((java.security.PrivilegedAction) () -> {
-                            s.getPrincipals().remove(up);
-                            return null;
-                        });
+                subject.getPrincipals().remove(userPrincipal);
             }
             username = null;
             password = null;