Figured give an update wrt our project: The method used by Netbeans project as cited by Jan appears to work.
I have not done full testing wrt to Ant as it appears the use of the SecurityManager in Ant is limited in scope to invoking another Java class in the same JVM, which we do not seem to do (nornally enable forking). Regardless, since Ant is included with our product, I implemented the Netbeans approach so we can set java.security.manager=allow unconditionally regardless of JRE version. Since I wanted to avoid creating a custom version of ant, for the one case we invoke the 'ant' command and not org.apache.tools.ant.launch.Launcher directly, I set the LOCALCLASSPATH env to point to a jar containing allow.class, and set ANT_OPTS=-Djava.security.manager=allow For the embedded scenarios, I updated our invocation scripts to set the sysprop when JVM is invoked and ensure allow.class is in classpath. For Ant itself, I think if the "allow" class is included in ant-launcher.jar, the command scripts can be updated to always set the system property, avoiding the need to invoke java twice: first time to get version and second time to actually do the job. --ewh On Tue, Feb 8, 2022, 12:35 AM Jan Lahoda <lah...@gmail.com> wrote: > > FWIW, NetBeans added a SecurityManager called "allow", that uninstalls > itself as soon as possible: > > https://github.com/apache/netbeans/blob/master/platform/o.n.bootstrap/src/allow.java > > Then -Djava.security.manager=allow works on the platforms supported by > NetBeans - before JDK 12, "allow" is installed and quickly uninstalled, but > setting another SecurityManager is allowed. > > Jan >