RFR: 8270380: Change the default value of the java.security.manager system property to disallow
Jaikiran Pai
jpai at openjdk.java.net
Mon Aug 23 03:25:28 UTC 2021
On Fri, 20 Aug 2021 22:44:34 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> This change modifies the default value of the `java.security.manager` system property from "allow" to "disallow". This means unless it's explicitly set to "allow", any call to `System.setSecurityManager()` would throw an UOE.
>
> The `AllowSecurityManager.java` and `SecurityManagerWarnings.java` tests are updated to confirm this behavior change. Two other tests are updated because they were added after JDK-8267184 and do not have `-Djava.security.manager=allow` on its `@run` line even it they need to install a `SecurityManager` at runtime.
A somewhat broader question - I looked at the javadocs of this latest update to `SecurityManager` in this PR. One thing I'm unclear about is, consider the case where the `java.security.manager` is _not_ set to anything at the command line. Then in some application code, let's say we have this:
String oldVal = System.getProperty("java.security.manager");
try {
System.setProperty("java.security.manager", "allow");
System.setSecurityManager(someSecurityManager);
.... // do something
} finally {
System.setProperty("java.security.manager", oldVal);
}
Would this then allow the security manager to be used? In other words, can the value of `java.security.manager` be changed dynamically at runtime or is it restricted to be set only at launch time (via command line arugment `-Djava.security.manager`)?
-------------
PR: https://git.openjdk.java.net/jdk/pull/5204
More information about the core-libs-dev
mailing list