Hi, As a part of the Log4j madness we all have dealt with, I learned of JEP-411( https://openjdk.java.net/jeps/411). There is a wish to deprecate the Security Manager in Java 17 for eventual removal. I feel it is likely to land. As a result, I think we should start to think about what it means to run SOLR without the option of a Security Manager for SOLR 10 (or whatever the next major version will be named). I know that people can turn it off today if they wish to do so.
Is it premature to have this discussion? I suggest it is not too early because there is a proposed warning message on startup of an application with Security Manager. The message alone could cause problems for some organizations using SOLR and lead them to abandon the project. Instead, there would need to be a multi-person effort to ensure that other countermeasures are sufficient and/or added to protect SOLR users from more pernicious and pervasive threats in today's world and the future. Enabling the Security Manager by default in SOLR was a good future-proofing measure for today's reality. Thank you all for your contributions, -- Marcus Eagan
