This is an automated email from the ASF dual-hosted git repository.
janhoy pushed a commit to branch branch_9x
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/branch_9x by this push:
new 5e7b27d3e43 SOLR-17641: Disable the Security Manager on JDK24+
(branch_9x) (#3645)
5e7b27d3e43 is described below
commit 5e7b27d3e43cb98e1a661467762455ca05ddfac8
Author: Jan Høydahl <[email protected]>
AuthorDate: Wed Sep 10 10:38:44 2025 +0200
SOLR-17641: Disable the Security Manager on JDK24+ (branch_9x) (#3645)
Co-authored-by: Houston Putman <[email protected]>
---
solr/CHANGES.txt | 2 ++
solr/bin/solr | 7 ++++++-
solr/bin/solr.cmd | 5 ++++-
.../modules/upgrade-notes/pages/major-changes-in-solr-9.adoc | 4 ++++
4 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index ed1785841df..1dc33b998e6 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -18,6 +18,8 @@ Improvements
* SOLR-17884: SolrJ users not using deprecated SolrClients can safely exclude
Apache HttpClient dependencies.
(David Smiley)
+* SOLR-17641: Solr is now able to start on Java 24 and later, but with
Security Manager disabled (Houston Putman, Jan Høydahl)
+
Optimizations
---------------------
(No changes)
diff --git a/solr/bin/solr b/solr/bin/solr
index 6b44b4eb13e..5f9212f9543 100755
--- a/solr/bin/solr
+++ b/solr/bin/solr
@@ -176,7 +176,7 @@ if [[ $? -ne 0 ]] ; then
exit 1
else
JAVA_VER_NUM=$(echo "$JAVA_VER" | grep -v '_OPTIONS' | head -1 | awk -F '"'
'/version/ {print $2}' | sed -e's/^1\.//' | sed -e's/[._-].*$//')
- if [[ "$JAVA_VER_NUM" -lt "$JAVA_VER_REQ" ]] ; then
+ if (( JAVA_VER_NUM < JAVA_VER_REQ )) ; then
echo >&2 "Your current version of Java is too old to run this version of
Solr."
echo >&2 "We found major version $JAVA_VER_NUM, using command '${JAVA}
-version', with response:"
echo >&2 "${JAVA_VER}"
@@ -1235,6 +1235,11 @@ else
REMOTE_JMX_OPTS=()
fi
+# Do not use the java security manager when running Java 24+
+if (( JAVA_VER_NUM >= 24 )) ; then
+ export SOLR_SECURITY_MANAGER_ENABLED="false"
+fi
+
# Enable java security manager (allowing filesystem access and other things)
if [ "${SOLR_SECURITY_MANAGER_ENABLED:-true}" == "true" ]; then
SECURITY_MANAGER_OPTS=('-Djava.security.manager' \
diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd
index 5cf1ad7d8c1..5ba99107e74 100755
--- a/solr/bin/solr.cmd
+++ b/solr/bin/solr.cmd
@@ -88,7 +88,10 @@ IF NOT DEFINED SOLR_SSL_RELOAD_ENABLED (
set "SOLR_SSL_RELOAD_ENABLED=true"
)
-REM Enable java security manager by default (limiting filesystem access and
other things)
+REM Enable java security manager by default for Java 23 and before (limiting
filesystem access and other things)
+IF !JAVA_MAJOR_VERSION! GEQ 24 (
+ set SOLR_SECURITY_MANAGER_ENABLED=false
+)
IF NOT DEFINED SOLR_SECURITY_MANAGER_ENABLED (
set SOLR_SECURITY_MANAGER_ENABLED=true
)
diff --git
a/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc
b/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc
index e45eb0e0e57..5844a94b8ba 100644
---
a/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc
+++
b/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc
@@ -82,6 +82,10 @@ Due to changes in Lucene 9, that isn't possible any more.
SolrJ users not using SolrClients that use Apache HttpClient can safely
exclude those dependencies.
SolrJ users not using SolrClients that use Jetty HttpClient can safely exclude
those dependencies.
+=== Java Security Manager
+
+Java has removed support for the Security Manager starting with Java 24;
therefore, Solr will disable this feature when run with Java 24 or later. Solr
previously used the Security Manager to provide an additional layer of
protection against unintended file system access, network access, and process
execution. Users upgrading to Java 24 or later should review their security
practices and consider alternative measures, such as running Solr in containers
or implementing additional operatin [...]
+
== Solr 9.9
=== SolrJ
