Hi, On Wed, Feb 16, 2022 at 6:24 PM Bowes, David <d.h.bo...@lancaster.ac.uk> wrote:
> I used the SecurityManger with great success to protect against Log4JShell. > > > > [...] I would suggest that the SecurityManager does protect me from > singinficant threats. > While I don't disagree with you entirely, the problem is that seemingly almost nobody actually uses the security manager to protect against things like Log4JShell. The proof is in the pudding. If the security manager indeed protected against that in practice to a sufficient degree, then Log4JShell wouldn't have been a problem at all, would it? Yet it was, and the security manager is still there at the moment. I understand one could argue that without the security manager the impact of Log4JShell would have been even bigger, but I've not seen any evidence stating that. Given the way Java is now predominantly used, I think a better choice might be to have the Java applications run on virtual servers that restrict at that virtual server level which domains and IPs outgoing traffic may connect to. Finally, I think nobody is saying there is no value at all in the security manager, but just that the amount of work required to maintain it vs the practical benefits are non-optimal, at least with the current way the security manager and its permissions and policies work. Kind regards, Arjan Tijms
