[wildfly-dev] my 2 cents on Security Manager discussion

[David M. Lloyd]

On 04/18/2014 05:44 PM, Bill Burke wrote:
> Late to the discussion, but this came up in conversations at DevNation.
>
> Are you sure you guys want to fully enable the Java security manager
> going forward?  Jboss has been around for, what 14 years now?  How many
> users/customers actually desire the Java Security Manager to be on by
> default?  Could it be a possibility that the majority of our
> customers/users might freak out if they found that all of a sudden the
> Java Security Manager is on when it has been off the last 14 years?
>
> I don't know.  Just seems to me that there is a lot of other cool ideas
> that you guys have been discussing that might be more interesting to
> wildfly's user base.

For the record I think Java's security model is pretty terrible.  Years 
of really, really bad CVEs are pretty much all the evidence you need. 
But security manager support is a part of Java EE now, as of 7 - and 
worse yet it is inexorably tied up with several JAAS concepts, making it 
a constant pain for us, as users want to be able to use JAAS even though 
it is terrible and it itself is not formally a part of Java EE (it is, 
after all, the only standard authentication client API).  Given our 
newer security initiatives, problems have arisen that we do have to 
solve, and that means we have to think about how it impacts this stuff too.

So, this is why we've spent time dealing with this.  There are tons of 
other things I for one would rather be doing, believe me. :-)
-- 
- DML