On 27/03/2022 14:45, Rick Hillegas wrote:
From the silence, I assume that there isn't any advice I can give
Derby users. At this time the Security Manager is the only mechanism
for protecting an application against these threats. Users should
ignore the deprecation diagnostics and set -Djava.security.manager=allow.
I think it's more that the SM was never the right solution for this type
of isolation. Also some of the "operations" that you list, creating
class loaders, de-registering JDBC drivers, ... suggest there may be
potentially malicious code in these environments too. Do you know if
these are legacy deployments or Derby users that haven't explored OS
containers to isolate applications on the same hardware?
-Alan
