search

jetty / jetty.project

Eclipse Jetty® - Web Container & Clients - supports HTTP/2, HTTP/1.1, HTTP/1.0, websocket, servlets, and more
https://eclipse.dev/jetty
Other
3.84k stars 1.91k forks source link

SecurityUtils should pick up SecurityManager settings from the JVM #12317

Closed stoty closed 1 day ago

stoty commented 1 day ago

Jetty version(s) 12.1.x

Jetty Environment any

Java version/vendor (use: java -version) 18+

OS type/version any Description

Jetty defaults to ignoring SecurityManager on Java 21+. If the securityManager is enabled, then a Jetty-specific system property also needs to be set to use it.

Ideally, Jetty would figure out whether SecurityManager is used automatically, and only use its own property as an override.

I'm not sure what's the best way to use this, this could be done by test calling Subject.getSubject() or similar, or checking the value of the "java.security.manager" system property directly.

It is also not immediately obvious to me why Java 21 is used as the cutover version, AFAICT related changes were made in Java 18 and 23.

How to reproduce?

  1. Enable securityManager using the "java.security.manager" property.
  2. Call the methods in SecurityUtils.
stoty commented 1 day ago

On second thought, Jetty shouldn't try to guess the SecurityManager settings at all.