deprecation of SecurityManager JEP 411
arjan tijms
arjan.tijms at gmail.com
Thu Feb 17 13:29:04 UTC 2022
Hi,
On Wed, Feb 16, 2022 at 6:24 PM Bowes, David <d.h.bowes at lancaster.ac.uk>
wrote:
> I used the SecurityManger with great success to protect against Log4JShell.
>
>
>
> [...] I would suggest that the SecurityManager does protect me from
> singinficant threats.
>
While I don't disagree with you entirely, the problem is that seemingly
almost nobody actually uses the security manager to protect against things
like Log4JShell. The proof is in the pudding. If the security manager
indeed protected against that in practice to a sufficient degree, then
Log4JShell wouldn't have been a problem at all, would it? Yet it was, and
the security manager is still there at the moment.
I understand one could argue that without the security manager the impact
of Log4JShell would have been even bigger, but I've not seen any evidence
stating that.
Given the way Java is now predominantly used, I think a better choice might
be to have the Java applications run on virtual servers that restrict at
that virtual server level which domains and IPs outgoing traffic may
connect to.
Finally, I think nobody is saying there is no value at all in the security
manager, but just that the amount of work required to maintain it vs the
practical benefits are non-optimal, at least with the current way the
security manager and its permissions and policies work.
Kind regards,
Arjan Tijms
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20220217/7637e4a2/attachment.htm>
More information about the security-dev
mailing list