On Thu, Dec 16, 2021 at 1:27 PM Tim Allison <[email protected]> wrote: > > Is this something worth pursuing? Are there things we can do with the > SecurityManager or via other techniques to improve the robustness of > our codebase? >
Couple thoughts: As a library, you can create a policy for tests and run your unit test suite with SecurityManager enabled. This is a safe step that won't break anything for users, but at the same time provide value and detect shenanigans that are happening behind the scenes. The policy could also be used when doing fuzz testing or similar, too. It helps with software maintenance too: if a new parser is added and the tests need strange permissions in order to pass... well it is worth looking into. As an app (e.g. tika-server), you can include a policy file, ideally based upon the above testing, so that users can opt-in to running security manager easily. And at some point maybe, update any scripts/instructions so that it is "by default"
