[wildfly-dev] my 2 cents on Security Manager discussion

Stuart Douglas stuart.w.douglas at gmail.com
Fri Apr 18 18:50:11 EDT 2014


Who is talking about enabling this by default?

What we have done is add a security manager subsystem that makes it very 
easy to enable, and also implement the Java EE 7 standard permission.xml 
descriptor to allow for a standard method of configuring permissions.

I have not heard anyone suggest this should be enabled by default, and I 
don't think it ever will be for two main reasons:

- Performance: Enabling the security manager has a very noticeable 
impact on performance. The checks are expensive and there are a lot of 
them.

- Compatibility: Unless you have actually written your application 
expecting it to be run under a security manager it almost certainly 
won't work out of the box.

Enabling the security manager by default is a terrible idea.

Stuart


Bill Burke wrote:
> Late to the discussion, but this came up in conversations at DevNation.
>
> Are you sure you guys want to fully enable the Java security manager
> going forward?  Jboss has been around for, what 14 years now?  How many
> users/customers actually desire the Java Security Manager to be on by
> default?  Could it be a possibility that the majority of our
> customers/users might freak out if they found that all of a sudden the
> Java Security Manager is on when it has been off the last 14 years?
>
> I don't know.  Just seems to me that there is a lot of other cool ideas
> that you guys have been discussing that might be more interesting to
> wildfly's user base.
>


More information about the wildfly-dev mailing list