JDK-8309704 : Release Note: Ignore Allow and Disallow Options for `java.security.manager` System Property
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7u401,8u391,11.0.21-oracle
  • Priority: P3
  • Status: Resolved
  • Resolution: Delivered
  • Submitted: 2023-06-09
  • Updated: 2023-09-11
  • Resolved: 2023-09-06
Description
In JDK 12, two new token options for the `java.security.manager` system property, "allow" and "disallow", were introduced.

Many applications and frameworks are designed to run on multiple JDKs. For those that enable the SecurityManager at runtime via `System.setSecurityManager`, they have to specify the "allow" option as of JDK 18 (see JDK-8203316). However, these applications would also prefer to use the same command line across multiple versions of the JDK, especially if it is not known what JDK version a user will use.

Currently, if these options are specified in JDK 12 or earlier, the runtime attempts to load a SecurityManager implementation with the classname "allow" or "disallow", which results in a `Could not create SecurityManager` Error and the application will not start up.

From this release onward, the "allow" and "disallow" options for the `java.security.manager` system property will be ignored.