O, never mind then. I thought that's what you were discussing a few
weeks ago. I think others thought the same which is why I brought it up.
On 4/18/2014 6:50 PM, Stuart Douglas wrote:
Who is talking about enabling this by default?
What we have done is add a security manager subsystem that makes it very
easy to enable, and also implement the Java EE 7 standard permission.xml
descriptor to allow for a standard method of configuring permissions.
I have not heard anyone suggest this should be enabled by default, and I
don't think it ever will be for two main reasons:
- Performance: Enabling the security manager has a very noticeable
impact on performance. The checks are expensive and there are a lot of
them.
- Compatibility: Unless you have actually written your application
expecting it to be run under a security manager it almost certainly
won't work out of the box.
Enabling the security manager by default is a terrible idea.
Stuart
Bill Burke wrote:
> Late to the discussion, but this came up in conversations at DevNation.
>
> Are you sure you guys want to fully enable the Java security manager
> going forward? Jboss has been around for, what 14 years now? How many
> users/customers actually desire the Java Security Manager to be on by
> default? Could it be a possibility that the majority of our
> customers/users might freak out if they found that all of a sudden the
> Java Security Manager is on when it has been off the last 14 years?
>
> I don't know. Just seems to me that there is a lot of other cool ideas
> that you guys have been discussing that might be more interesting to
> wildfly's user base.
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com