Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8271301

Change the default value of the java.security.manager system property to disallow

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 18
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      low
    • Compatibility Risk Description:
      Hide
      With the new default behavior, if this system property is not set and `System.setSecuirtyManager` is called, then an UnsupportedOperationException will be thrown. This has been thoroughly discussed and fully acknowledged during the public review of JEP 411 during JDK 17, and we hear no objection on switching this flag in the next release. For most applications, the maintainer can simply add `-Djava.security.manager=allow` to the launcher command before they remove the `setSecurityManager` call. In a few cases where the application might have parsed the system property value on its own and have not yet supported the `allow` value (which was introduced in JDK 12), code change is needed to support it. This has been shown possible in recent Equinox and NetBeans discussions.
      Show
      With the new default behavior, if this system property is not set and `System.setSecuirtyManager` is called, then an UnsupportedOperationException will be thrown. This has been thoroughly discussed and fully acknowledged during the public review of JEP 411 during JDK 17, and we hear no objection on switching this flag in the next release. For most applications, the maintainer can simply add `-Djava.security.manager=allow` to the launcher command before they remove the `setSecurityManager` call. In a few cases where the application might have parsed the system property value on its own and have not yet supported the `allow` value (which was introduced in JDK 12), code change is needed to support it. This has been shown possible in recent Equinox and NetBeans discussions.
    • Interface Kind:
      System or security property
    • Scope:
      JDK

      Description

      Summary

      Change the default value of the java.security.manager system property to disallow, so that unless it's explicitly set to allow, any calling of System.setSecurityManager(SecurityManager) with a non-null argument will throw an UnsupportedOperationException.

      Problem

      We have deprecated the Security Manager for removal in JDK 17 through JEP 411, and in the next few releases we will gradually remove (or degrade) the API and the implementation. Disabling the ability to dynamically install a Security Manager by default is one of the first steps. This is already described in the Description section of JEP 411.

      Solution

      When the java.security.manager system property is not set, treat it the same as set to disallow.

      Specification

      src/java.base/share/classes/java/lang/SecurityManager.java:

       /**
        ...
        * The Java run-time may also allow, but is not required to allow, the security
        * manager to be set dynamically by invoking the
        * {@link System#setSecurityManager(SecurityManager) setSecurityManager} method.
        * In the JDK implementation, if the Java virtual machine is started with
        * the {@code java.security.manager} system property set to the special token
      - * "{@code disallow}" then a security manager will not be set at startup and
      - * cannot be set dynamically (the
      + * "{@code allow}", then a security manager will not be set at startup but can
      + * be set dynamically. If the Java virtual machine is started with the
      + * {@code java.security.manager} system property not set or set to the special
      + * token "{@code disallow}", then a security manager will not be set at startup
      + * and cannot be set dynamically (the
        * {@link System#setSecurityManager(SecurityManager) setSecurityManager}
      - * method will throw an {@code UnsupportedOperationException}). If the
      - * {@code java.security.manager} system property is not set or is set to the
      - * special token "{@code allow}", then a security manager will not be set at
      - * startup but can be set dynamically.
      + * method will throw an {@code UnsupportedOperationException}).
      
        ...
        * following table illustrates the behavior of the JDK implementation for the
        * different settings of the {@code java.security.manager} system property:
        ...
        * <tr>
        * <th scope="col">Property Value</th>
        * <th scope="col">The SecurityManager set at startup</th>
        * <th scope="col">System.setSecurityManager run-time behavior</th>
        * </tr>
        ...
        * <tr>
        *   <th scope="row">null</th>
        *   <td>None</td>
      - *   <td>Success or throws {@code SecurityException} if not permitted by
      - * the currently installed security manager</td>
      + *   <td>Always throws {@code UnsupportedOperationException}</td>
        * </tr>
        ...
      - * <p> A future release of the JDK may change the default value of the
      - * {@code java.security.manager} system property to "{@code disallow}".
        ...
        */
       @Deprecated(since="17", forRemoval=true)
       public class SecurityManager

      src/java.base/share/classes/java/lang/System.java:

           /*
            ...
            * @implNote In the JDK implementation, if the Java virtual machine is
      -     * started with the system property {@code java.security.manager} set to
      +     * started with the system property {@code java.security.manager} not set or set to
            * the special token "{@code disallow}" then the {@code setSecurityManager}
            * method cannot be used to set a security manager.
            ...
            */
           @Deprecated(since="17", forRemoval=true)
           @CallerSensitive
           public static void setSecurityManager(@SuppressWarnings("removal") SecurityManager sm);

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              weijun Weijun Wang
              Reporter:
              mullan Sean Mullan
              Reviewed By:
              Alan Bateman, Lance Andersen, Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: