Hi Jean-Louis, Thanks for the comprehensive email.
I also prefer using a system property for now. This approach allows us to move forward smoothly while we complete the remaining work. Regards, JB On Thu, Jan 15, 2026 at 1:15 PM Jean-Louis Monteiro < [email protected]> wrote: > Hi all, > > We used MRJAR in the Java 25 branch to get rid of the SecurityManager usage > and use the new API to retrieve the subject mainly for audit logs. > > But in tests, we also have things like System.setSecurityManager which has > been marked as deprecated in Java 17. > > Since Java 24, it permanently throws an exception hence the rework of some > tests to avoid this in Java 25 ongoing work. > > For versions 18-23, the flag to disable programmatic SecurityManager setup > has been set to disallow which means that setSecurityManager() also throws > an exception unless you explicitly authorize it. > In the recent Github Actions work, we added Java 21 and 25 to the night > builds in addition to Java 17. I made a PR to remove Java 25 for now, > because we are still working on it on a separate branch so it's clear that > nightly builds on Java 25 will always fail. > > For Java 21, there is an open question because we have 2 options > - remove it from the nightly build and stick with Java 17 until Java 25 > work is done > - add the system property in surefire configuration to allow > System.setSecurityManager() in tests > > We can also rework the tests, but it's partially done already for Java 25 > and we are not far. I'm tempted to go with option 2 (system property), but > I'd like to gather some thoughts. > > -- > Jean-Louis Monteiro > http://twitter.com/jlouismonteiro > http://www.tomitribe.com >
