RFR: 8270380: Change the default value of the java.security.manager system property to disallow

Weijun Wang weijun at openjdk.java.net
Sat Aug 21 11:26:26 UTC 2021

On Fri, 20 Aug 2021 23:01:27 GMT, Lance Andersen <lancea at openjdk.org> wrote:

>> This change modifies the default value of the `java.security.manager` system property from "allow" to "disallow". This means unless it's explicitly set to "allow", any call to `System.setSecurityManager()` would throw an UOE.
>> The `AllowSecurityManager.java` and `SecurityManagerWarnings.java` tests are updated to confirm this behavior change. Two other tests are updated because they were added after JDK-8267184 and do not have `-Djava.security.manager=allow` on its `@run` line even it they need to install one at runtime.
> src/java.base/share/classes/java/lang/SecurityManager.java line 128:
>> 126:  *   <th scope="row">null</th>
>> 127:  *   <td>None</td>
>> 128:  *   <td>Always throws {@code UnsupportedOperationException}</td>
> Not sure "Always" is needed, could just be "Throws UOE"

This is the same as the existing words for "disallow".


PR: https://git.openjdk.java.net/jdk/pull/5204

More information about the security-dev mailing list