The system property seems fine for now as it's just going to be temporary until the work is finished for JDK 25 and then the flag can be removed.
On Thu, Jan 15, 2026 at 7:15 AM Jean-Louis Monteiro < [email protected]> wrote: > Hi all, > > We used MRJAR in the Java 25 branch to get rid of the SecurityManager usage > and use the new API to retrieve the subject mainly for audit logs. > > But in tests, we also have things like System.setSecurityManager which has > been marked as deprecated in Java 17. > > Since Java 24, it permanently throws an exception hence the rework of some > tests to avoid this in Java 25 ongoing work. > > For versions 18-23, the flag to disable programmatic SecurityManager setup > has been set to disallow which means that setSecurityManager() also throws > an exception unless you explicitly authorize it. > In the recent Github Actions work, we added Java 21 and 25 to the night > builds in addition to Java 17. I made a PR to remove Java 25 for now, > because we are still working on it on a separate branch so it's clear that > nightly builds on Java 25 will always fail. > > For Java 21, there is an open question because we have 2 options > - remove it from the nightly build and stick with Java 17 until Java 25 > work is done > - add the system property in surefire configuration to allow > System.setSecurityManager() in tests > > We can also rework the tests, but it's partially done already for Java 25 > and we are not far. I'm tempted to go with option 2 (system property), but > I'd like to gather some thoughts. > > -- > Jean-Louis Monteiro > http://twitter.com/jlouismonteiro > http://www.tomitribe.com >
