You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2022/10/02 02:42:50 UTC
Re: Security manager support
Emmanuel,
On 9/28/22 11:05, Emmanuel Bourg wrote:
> The security manager has been deprecated for removal in Java 17 [1], and
> at some point Tomcat will have to stop supporting it.
>
> Do we want to wait until it's no longer available in the JDK to remove
> it from Tomcat, or should we remove it earlier, maybe in Tomcat 10.1 or 11?
>
> I tend to think there are better solutions at the OS level to isolate a
> Tomcat instance nowadays, and I lean toward dropping it before its
> removal from the JDK.
>
> What do you think?
My only concern is that it may cause some headaches for anything we want
to back-port.
Mark has a separate thread about Loom and there will obviously be some
significant changes and incompatibilities introduced by that as well.
Doing them together makes sense to me.
But the SM code permeates all of Tomcat where the Loom stuff is likely
to be much more isolated. I think it will have farther-reaching impacts.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Security manager support
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Hi,
If it helps, commons weaver (
https://commons.apache.org/proper/commons-weaver/commons-weaver-parent/commons-weaver-modules-parent/commons-weaver-privilizer-parent/index.html)
can help for the backport part (enable or not the run in build.xml).
Romain
Le dim. 2 oct. 2022 à 06:42, Christopher Schultz <
chris@christopherschultz.net> a écrit :
> Emmanuel,
>
> On 9/28/22 11:05, Emmanuel Bourg wrote:
> > The security manager has been deprecated for removal in Java 17 [1], and
> > at some point Tomcat will have to stop supporting it.
> >
> > Do we want to wait until it's no longer available in the JDK to remove
> > it from Tomcat, or should we remove it earlier, maybe in Tomcat 10.1 or
> 11?
> >
> > I tend to think there are better solutions at the OS level to isolate a
> > Tomcat instance nowadays, and I lean toward dropping it before its
> > removal from the JDK.
> >
> > What do you think?
>
> My only concern is that it may cause some headaches for anything we want
> to back-port.
>
> Mark has a separate thread about Loom and there will obviously be some
> significant changes and incompatibilities introduced by that as well.
> Doing them together makes sense to me.
>
> But the SM code permeates all of Tomcat where the Loom stuff is likely
> to be much more isolated. I think it will have farther-reaching impacts.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>