> > As regards the security manager then it's hard to see how it fits into the > discussion. To be honest, we don't see a lot of security manager usage on > the server side these days. I look at a lot of bug reports and error logs > that include the command line and I don't see -Djava.security.manager very > often.
Not to be negative nancy, but that's because SecurityManager is totally unfriendly for server-side usage, as others have pointed out in this thread. To me, it always seemed geared at a desktop/applet use-case. On the other hand for a server (e.g. long-lived daemon-process), its basically useless to set -Djava.security.manager, you get almost zero protection, because of the nature of the beast. I think its generally accepted that such use-cases require a lot of privileges up-front initially (e.g. bind to network ports and so on), then they drop them. This is pretty common in other programming languages, java just screws it up, its really hard to do such a thing with securitymanager out of box without writing tons of custom code. I won't even mention the low level nuances such as the the fact the default security policy shipped with java allows tons of bogus crap like binding to network ports, Thread.stop, etc :) The second problem is that so many common java libraries don't care about this stuff and just call internal apis and do all kinds of bogus crap (e.g. setAccessible) without any care to the world. They are doing this cowboy-style so of course such usages are generally not contained/well-protected, they probably dont even know how doPrivileged() works at all. Because of these problems, if you are a server-side app, even if you understand this stuff and want to do the right thing, its really hard to avoid simply granting all kinds of horrible permissions globally to all code. In my experience the worst problems are the internal api usage issues, so it would be nice to "give jigsaw a chance" to see if it makes the situation better. SecurityManager is really great if you want to prevent common security issues such as directory traversal, but its too hard for a server side app right now.
