JEP 411: Disable warning message with flag?

[Mikael Sterner]

The current version of JEP 411 (Deprecate the Security Manager for Removal) has as its goal "Warn users if their Java applications rely on the Security Manager.". To that end it proposes to "Issue a warning message at startup if the Security Manager is enabled on the command line."

I would suggest adding a flag to disable the warning message, for use in cases where an application ships to end users with a Java runtime included. Because in those cases, the warning is meant for the developer of the application and not end users. End users would not be the ones providing/upgrading the Java runtime, and in many cases it would not be acceptable to have a warning displayed on startup that could confuse users.

If a flag to disable the command line warning is not added, the effect will be that the Security Manager is not possible to use in such applications already in Java 17 (counting on the proposed target), which seems rather harsh given the short notice.

If the flag is added, developers of applications that use the Security Manager will still notice the warning (until disabled) but they get more time to migrate to better solutions like process isolation. As a bonus, for hard-to-migrate cases you can stay on Java 17 with the Security Manager for as long as you're willing to pay, since many vendors seem to plan to offer long term support for it.

Yours,
Mikael Sterner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20210521/485f6e8a/attachment.htm>