RFR: 8270380: Change the default value of the java.security.manager system property to disallow

[Sean Mullan]

On Fri, 20 Aug 2021 22:44:34 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> This change modifies the default value of the `java.security.manager` system property from "allow" to "disallow". This means unless it's explicitly set to "allow", any call to `System.setSecurityManager()` would throw an UOE.
> 
> The `AllowSecurityManager.java` and `SecurityManagerWarnings.java` tests are updated to confirm this behavior change. Two other tests are updated because they were added after JDK-8267184 and do not have `-Djava.security.manager=allow` on its `@run` line even it they need to install a `SecurityManager` at runtime.
> 
> Please note that this code change requires jtreg to be upgraded to 6.1, where a security manager [will not be set](https://bugs.openjdk.java.net/browse/CODETOOLS-7902990).

In the class description of `java/lang/SecurityManager` I think it would be useful to add a couple of sub-sections, 

1. **Setting a Security Manager** just before the paragraph that starts with "Environments using a security manager will typically set the security manager at startup." and ends with "The current security manager is returned by the getSecurityManager method."

2. **Checking permissions** which starts after the section above and continues to the end.

The reason I think this is useful is that you can then add a link from `System.setSecurityManager` to the subsection on **Setting a Security Manager** as I think it will be useful to link those together. The best place for that link is probably in the `@implNote` where it describes the JDK behavior for the `java.security.manager` system property.

-------------

PR: https://git.openjdk.java.net/jdk/pull/5204