Removing support for SecurityManager in Nashorn
Attila Szegedi
szegedia at gmail.com
Thu Dec 26 07:04:18 UTC 2024
Hi all,
Due to its lineage as integral part of OpenJDK – and thus an attractive
vector of attack – Nashorn has a lot of code dealing with proper operation
under a security manager. Most of that code is not particularly relevant
now that it is not part of OpenJDK, and even less since the Security
Manager was deprecated in Java 17 with JEP 411[0] and slated to be
permanently disabled in Java 24 with JEP 486[1], with the removal of the
API sometime in the future.
The time has come to also remove Security Manager support from Nashorn. As
JEP 486 states, deprecating the Security Manager had hardly any impact,
proving that almost nobody uses it:
"Since the release of JDK 17, the maintainers of some of the handful of
frameworks and tools that supported the Security Manager have removed
support for it; these include Derby, Ant, SpotBugs, and Tomcat. The
maintainers of Jakarta EE removed the requirement for EE applications to
support the Security Manager. We are not aware of any new projects that
support the Security Manager."
I guess if even Tomcat can live without the Security Manager, then so can
Nashorn.
Attila.
--
[0] https://openjdk.org/jeps/411
[1] https://openjdk.org/jeps/486
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/nashorn-dev/attachments/20241226/d24ba4e0/attachment.htm>
More information about the nashorn-dev
mailing list