JDK-8271301 : Change the default value of the java.security.manager system property to disallow
  • Type: CSR
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 18
  • Submitted: 2021-07-26
  • Updated: 2021-11-09
  • Resolved: 2021-08-03
Related Reports
CSR :  
JDK-8270380 - Change the default value of the java.security.manager system property to disallow
Description
Summary
-------

Change the default value of the `java.security.manager` system property to disallow, so that unless it's explicitly set to `allow`, any calling of `System.setSecurityManager(SecurityManager)` with a non-null argument will throw an `UnsupportedOperationException`.

Problem
-------

We have deprecated the Security Manager for removal in JDK 17 through [JEP 411][1], and in the next few releases we will gradually remove (or degrade) the API and the implementation. Disabling the ability to dynamically install a Security Manager by default is one of the first steps. This is already described in the Description section of JEP 411.

Solution
--------

When the `java.security.manager` system property is not set, treat it the same as set to `disallow`.

Specification
-------------

src/java.base/share/classes/java/lang/SecurityManager.java:

     /**
      ...
      * The Java run-time may also allow, but is not required to allow, the security
      * manager to be set dynamically by invoking the
      * {@link System#setSecurityManager(SecurityManager) setSecurityManager} method.
      * In the JDK implementation, if the Java virtual machine is started with
      * the {@code java.security.manager} system property set to the special token
    - * "{@code disallow}" then a security manager will not be set at startup and
    - * cannot be set dynamically (the
    + * "{@code allow}", then a security manager will not be set at startup but can
    + * be set dynamically. If the Java virtual machine is started with the
    + * {@code java.security.manager} system property not set or set to the special
    + * token "{@code disallow}", then a security manager will not be set at startup
    + * and cannot be set dynamically (the
      * {@link System#setSecurityManager(SecurityManager) setSecurityManager}
    - * method will throw an {@code UnsupportedOperationException}). If the
    - * {@code java.security.manager} system property is not set or is set to the
    - * special token "{@code allow}", then a security manager will not be set at
    - * startup but can be set dynamically.
    + * method will throw an {@code UnsupportedOperationException}).

      ...
      * following table illustrates the behavior of the JDK implementation for the
      * different settings of the {@code java.security.manager} system property:
      ...
      * <tr>
      * <th scope="col">Property Value</th>
      * <th scope="col">The SecurityManager set at startup</th>
      * <th scope="col">System.setSecurityManager run-time behavior</th>
      * </tr>
      ...
      * <tr>
      *   <th scope="row">null</th>
      *   <td>None</td>
    - *   <td>Success or throws {@code SecurityException} if not permitted by
    - * the currently installed security manager</td>
    + *   <td>Always throws {@code UnsupportedOperationException}</td>
      * </tr>
      ...
    - * <p> A future release of the JDK may change the default value of the
    - * {@code java.security.manager} system property to "{@code disallow}".
      ...
      */
     @Deprecated(since="17", forRemoval=true)
     public class SecurityManager

src/java.base/share/classes/java/lang/System.java:

         /*
          ...
          * @implNote In the JDK implementation, if the Java virtual machine is
    -     * started with the system property {@code java.security.manager} set to
    +     * started with the system property {@code java.security.manager} not set or set to
          * the special token "{@code disallow}" then the {@code setSecurityManager}
          * method cannot be used to set a security manager.
          ...
          */
         @Deprecated(since="17", forRemoval=true)
         @CallerSensitive
         public static void setSecurityManager(@SuppressWarnings("removal") SecurityManager sm);

  [1]: https://openjdk.java.net/jeps/411
Comments
Moving to Approved.
03-08-2021
Moving to Provisional.
02-08-2021
Updated as suggested. Added a comma before the 2nd "then" to be consistent with the 1st one.
30-07-2021
Now that the default is changed to disallow, I think it would read better if we changed the order of the two sentences starting with "In the JDK implementation ...". How about: In the JDK implementation, if the Java virtual machine is is started with the java.security.manager system property set to the special token "{@code allow}", then a security manager will not be set at startup but can be set dynamically. If the Java virtual machine is started with the {@code java.security.manager} system property not set or set to the special token "{@code disallow}" then a security manager will not be set at startup and cannot be set dynamically (the {@link System#setSecurityManager(SecurityManager) setSecurityManager} method will throw an {@code UnsupportedOperationException}).
27-07-2021