[wildfly-dev] my 2 cents on Security Manager discussion
Stuart Douglas
stuart.w.douglas at gmail.com
Fri Apr 18 18:50:11 EDT 2014
Who is talking about enabling this by default?
What we have done is add a security manager subsystem that makes it very
easy to enable, and also implement the Java EE 7 standard permission.xml
descriptor to allow for a standard method of configuring permissions.
I have not heard anyone suggest this should be enabled by default, and I
don't think it ever will be for two main reasons:
- Performance: Enabling the security manager has a very noticeable
impact on performance. The checks are expensive and there are a lot of
them.
- Compatibility: Unless you have actually written your application
expecting it to be run under a security manager it almost certainly
won't work out of the box.
Enabling the security manager by default is a terrible idea.
Stuart
Bill Burke wrote:
> Late to the discussion, but this came up in conversations at DevNation.
>
> Are you sure you guys want to fully enable the Java security manager
> going forward? Jboss has been around for, what 14 years now? How many
> users/customers actually desire the Java Security Manager to be on by
> default? Could it be a possibility that the majority of our
> customers/users might freak out if they found that all of a sudden the
> Java Security Manager is on when it has been off the last 14 years?
>
> I don't know. Just seems to me that there is a lot of other cool ideas
> that you guys have been discussing that might be more interesting to
> wildfly's user base.
>
More information about the wildfly-dev
mailing list