On Fri, 20 Aug 2021 22:44:34 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> This change modifies the default value of the `java.security.manager` system > property from "allow" to "disallow". This means unless it's explicitly set to > "allow", any call to `System.setSecurityManager()` would throw an UOE. > > The `AllowSecurityManager.java` and `SecurityManagerWarnings.java` tests are > updated to confirm this behavior change. Two other tests are updated because > they were added after JDK-8267184 and do not have > `-Djava.security.manager=allow` on its `@run` line even it they need to > install a `SecurityManager` at runtime. > > Please note that this code change requires jtreg to be upgraded to 6.1, where > a security manager [will not be > set](https://bugs.openjdk.java.net/browse/CODETOOLS-7902990). In the class description of `java/lang/SecurityManager` I think it would be useful to add a couple of sub-sections, 1. **Setting a Security Manager** just before the paragraph that starts with "Environments using a security manager will typically set the security manager at startup." and ends with "The current security manager is returned by the getSecurityManager method." 2. **Checking permissions** which starts after the section above and continues to the end. The reason I think this is useful is that you can then add a link from `System.setSecurityManager` to the subsection on **Setting a Security Manager** as I think it will be useful to link those together. The best place for that link is probably in the `@implNote` where it describes the JDK behavior for the `java.security.manager` system property. ------------- PR: https://git.openjdk.java.net/jdk/pull/5204
