Hi all, apologize if I interrupted this thread. I agreed on what Reinier has said and I have similar concerns about the removal of SecurityManager.
I have developed a "Mod" for a certain game to monitor which "Mods" are using network connections. The mod is a kind of library since other libraries can use them to extend the library functionality such as add-on. In this context, library refers to Mod, a modification that can provide extra features to the base game. These libraries are usually obtained from reputable websites by the end user. However, not all libraries can be obtained in these websites, some which are hosted by the author themselves that are readily compiled. Most of the library in this game does not require network connections to work except, for legitimate reasons such as version checker, downloading required resources, but some requested network connections anyway without reasons. This gives the concern, are the network calls justified for a game that can be played offline? Besides that, Reinier gives good point of why the ability to deny/allow network is important and I would like to give an example when I am developing the library: On 2021-04-16 09:29, Reinier Zwitserloot wrote: > * Any library could have the bright idea to 'phone home' and make a > network call simply to give the library author some idea of how > widespread their library is used. This could have an entirely innocuous > purpose: The library author thought it'd be a cool idea to have a live > map of the planet on their website, with a little animated blip every > time their library is used to, say, parse some JSON. SecurityManager is > the simplest way to spot this and stop it. Although most of the recent libraries do not have analytics that I've seen, I have seen one older version of the library that has analytics enabled without any way to disable except performing bytecode modifications. This has implications to the users' privacy since they do not anticipate it has analytics within them and libraries that have analytics are frowned upon in the mod community. This also violates some of the privacy laws in some countries. The security manager is the only viable way to control these libraries from "phone home" in my opinion. Since the end user "install" these libraries by putting into a specific folder for the loader to launch the game with these modifications. They are not expected to change their system just to know if a particular library has these "features". For example, using firewall/hosts file/DNS/other monitoring tools. It might help but it does not provide insight into which class/package which Reinier has said and that's where the SecurityManager can help. By using the "checkConnect" methods in SecurityManager, I can allow/deny and notify appropriate messages in the log for the end user to check. In addition, there is a configuration that allows the end user to configure which hosts are allowed for the network connections. I hope that the core SecurityManager functionality will be preserved. Will there be an alternative that is able to provide similar functionality through programmatic means for my use case? I have read the comments about using JFR stream/bytecode instrumentation but it required the usage of Java Agent and command line flags which is not acceptable in this use case. Thanks
