On Fri, 20 Aug 2021 22:44:34 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> This change modifies the default value of the `java.security.manager` system
> property from "allow" to "disallow". This means unless it's explicitly set to
> "allow", any call to `System.setSecurityManager()` would throw an UOE.
>
> The `AllowSecurityManager.java` and `SecurityManagerWarnings.java` tests are
> updated to confirm this behavior change. Two other tests are updated because
> they were added after JDK-8267184 and do not have
> `-Djava.security.manager=allow` on its `@run` line even it they need to
> install a `SecurityManager` at runtime.
A somewhat broader question - I looked at the javadocs of this latest update to
`SecurityManager` in this PR. One thing I'm unclear about is, consider the case
where the `java.security.manager` is _not_ set to anything at the command line.
Then in some application code, let's say we have this:
String oldVal = System.getProperty("java.security.manager");
try {
System.setProperty("java.security.manager", "allow");
System.setSecurityManager(someSecurityManager);
.... // do something
} finally {
System.setProperty("java.security.manager", oldVal);
}
Would this then allow the security manager to be used? In other words, can the
value of `java.security.manager` be changed dynamically at runtime or is it
restricted to be set only at launch time (via command line arugment
`-Djava.security.manager`)?
-------------
PR: https://git.openjdk.java.net/jdk/pull/5204
