[wildfly-dev] my 2 cents on Security Manager discussion
Bill Burke
bburke at redhat.com
Sat Apr 19 16:46:03 EDT 2014
O, never mind then. I thought that's what you were discussing a few
weeks ago. I think others thought the same which is why I brought it up.
On 4/18/2014 6:50 PM, Stuart Douglas wrote:
> Who is talking about enabling this by default?
>
> What we have done is add a security manager subsystem that makes it very
> easy to enable, and also implement the Java EE 7 standard permission.xml
> descriptor to allow for a standard method of configuring permissions.
>
> I have not heard anyone suggest this should be enabled by default, and I
> don't think it ever will be for two main reasons:
>
> - Performance: Enabling the security manager has a very noticeable
> impact on performance. The checks are expensive and there are a lot of
> them.
>
> - Compatibility: Unless you have actually written your application
> expecting it to be run under a security manager it almost certainly
> won't work out of the box.
>
> Enabling the security manager by default is a terrible idea.
>
> Stuart
>
>
> Bill Burke wrote:
>> Late to the discussion, but this came up in conversations at DevNation.
>>
>> Are you sure you guys want to fully enable the Java security manager
>> going forward? Jboss has been around for, what 14 years now? How many
>> users/customers actually desire the Java Security Manager to be on by
>> default? Could it be a possibility that the majority of our
>> customers/users might freak out if they found that all of a sudden the
>> Java Security Manager is on when it has been off the last 14 years?
>>
>> I don't know. Just seems to me that there is a lot of other cool ideas
>> that you guys have been discussing that might be more interesting to
>> wildfly's user base.
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the wildfly-dev
mailing list