RFR: 8270380: Change the default value of the java.security.manager system property to disallow

David Holmes dholmes at openjdk.java.net
Mon Aug 23 04:45:28 UTC 2021

On Fri, 20 Aug 2021 22:44:34 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> This change modifies the default value of the `java.security.manager` system property from "allow" to "disallow". This means unless it's explicitly set to "allow", any call to `System.setSecurityManager()` would throw an UOE.
> The `AllowSecurityManager.java` and `SecurityManagerWarnings.java` tests are updated to confirm this behavior change. Two other tests are updated because they were added after JDK-8267184 and do not have `-Djava.security.manager=allow` on its `@run` line even it they need to install a `SecurityManager` at runtime.

@wangweij there are many tests that can call setSecurityManager() and will presumably need to be fixed before this switch can be applied. And all testing will need to be updated to require jtreg 6.1 (which no longer uses the SM) once it is released.



PR: https://git.openjdk.java.net/jdk/pull/5204

More information about the security-dev mailing list