What is this warning message? Regardless, bin/solr could detect that this scenario is going to occur and print a message of its own so that users have better context on the situation.
In other ways, we are investing in securing Solr. Modularization comes to my mind first. And I really wish for a dev vs prod mode to gate better defaults but no action there yet :-/. ~ David Smiley Apache Lucene/Solr Search Developer http://www.linkedin.com/in/davidwsmiley On Fri, Dec 17, 2021 at 5:22 PM Marcus Eagan <[email protected]> wrote: > Hi, > > As a part of the Log4j madness we all have dealt with, I learned of > JEP-411(https://openjdk.java.net/jeps/411). There is a wish to deprecate > the Security Manager in Java 17 for eventual removal. I feel it is likely > to land. As a result, I think we should start to think about what it means > to run SOLR without the option of a Security Manager for SOLR 10 (or > whatever the next major version will be named). I know that people can turn > it off today if they wish to do so. > > Is it premature to have this discussion? > > I suggest it is not too early because there is a proposed warning message > on startup of an application with Security Manager. The message alone could > cause problems for some organizations using SOLR and lead them to abandon > the project. Instead, there would need to be a multi-person effort to > ensure that other countermeasures are sufficient and/or added to protect > SOLR users from more pernicious and pervasive threats in today's world and > the future. Enabling the Security Manager by default in SOLR was a good > future-proofing measure for today's reality. > > Thank you all for your contributions, > > -- > Marcus Eagan > >
