<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:"DejaVu Sans";
        panose-1:2 11 6 3 3 8 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style>
</head>
<body lang="EN-GB" link="blue" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Unfortunately I have to completely disagree with deprecating the SecurityManager: JEP411<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="mso-margin-top-alt:6.0pt;margin-right:0cm;margin-bottom:6.0pt;margin-left:0cm">
“<span style="font-size:10.0pt;font-family:"DejaVu Sans",sans-serif;color:black">The Security Manager, then, had ambitions to protect against two kinds of threat: <em><span style="font-family:"DejaVu Sans",sans-serif">Malicious intent</span></em>, especially
 in remote code, and <em><span style="font-family:"DejaVu Sans",sans-serif">accidental vulnerabilities</span></em>, especially in local code.<o:p></o:p></span></p>
<p style="mso-margin-top-alt:6.0pt;margin-right:0cm;margin-bottom:6.0pt;margin-left:0cm;font-variant-ligatures: normal;font-variant-caps: normal;orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;text-decoration-thickness: initial;text-decoration-style: initial;text-decoration-color: initial;word-spacing:0px">
<span style="font-size:10.0pt;font-family:"DejaVu Sans",sans-serif;color:black">The threat of malicious intent by remote code has receded because the Java Platform no longer supports applets. The Applet API was <a href="https://openjdk.java.net/jeps/289"><span style="color:#437291;text-decoration:none">deprecated
 in Java 9 in 2017</span></a>, then <a href="https://openjdk.java.net/jeps/398"><span style="color:#437291;text-decoration:none">deprecated for removal in Java 17 in 2021</span></a> with the intent to remove it in a future release. The closed-source browser
 plugin that ran applets was <a href="https://www.oracle.com/technetwork/java/javase/javaclientroadmapupdatev2020may-6548840.pdf#%5B%7B%22num%22%3A34%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C93%2C665%2C0%5D"><span style="color:#437291;text-decoration:none">removed
 from Oracle's JDK 11 in 2018</span></a> along with the <a href="https://www.oracle.com/technetwork/java/javase/javaclientroadmapupdatev2020may-6548840.pdf#%5B%7B%22num%22%3A34%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C93%2C504%2C0%5D"><span style="color:#437291;text-decoration:none">closed-source
 Java Web Start technology</span></a>. Accordingly, many of the risks that the Security Manager protects against are no longer significant. Furthermore, the Security Manager cannot protect against many risks that now are significant. The Security Manager cannot
 address 19 of the <a href="https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html"><span style="color:#437291;text-decoration:none">25 most dangerous issues identified by industry leaders in 2020</span></a>, so issues such as XML external entity reference
 (XXE) injection and improper input validation have required direct countermeasures in the Java class libraries. (For example, JAXP can <a href="https://docs.oracle.com/en/java/javase/16/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E"><span style="color:#437291;text-decoration:none">protect
 against XXE attacks and XML entity expansion</span></a>, while <a href="https://docs.oracle.com/en/java/javase/16/core/serialization-filtering1.html#GUID-3ECB288D-E5BD-4412-892F-E9BB11D4C98A"><span style="color:#437291;text-decoration:none">serialization filtering</span></a> can
 prevent malicious data from being deserialized before it can do any damage.) The Security Manager is also <a href="https://mail.openjdk.java.net/pipermail/vuln-announce/2019-July/000002.html"><span style="color:#437291;text-decoration:none">incapable of preventing
 malicious behavior based on speculative-execution vulnerabilities</span></a>.<o:p></o:p></span></p>
<p class="MsoNormal">“<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I used the SecurityManger with great success to protect against Log4JShell.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It helped me identify the permissions being requested and then the stack track where certain patterns of permission requests were occurring.  The SecurityManager rules were then added to  prevent the vulnerability.  It is the basic of active
 research into behaviour based attacks.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">None of the techniques you describe above which ‘replace’ the SecurityManager functionality were sufficient.  I would suggest that the SecurityManager does protect me from singinficant threats.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Davd Bowes<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>