Jetty defaults to ignoring SecurityManager on Java 21+.
If the securityManager is enabled, then a Jetty-specific system property also needs to be set to use it.
Ideally, Jetty would figure out whether SecurityManager is used automatically, and only use its own property as an override.
I'm not sure what's the best way to use this, this could be done by test calling Subject.getSubject() or similar,
or checking the value of the "java.security.manager" system property directly.
It is also not immediately obvious to me why Java 21 is used as the cutover version, AFAICT related changes were made in Java 18 and 23.
How to reproduce?
Enable securityManager using the "java.security.manager" property.
Jetty version(s) 12.1.x
Jetty Environment any
Java version/vendor
(use: java -version)
18+OS type/version any Description
Jetty defaults to ignoring SecurityManager on Java 21+. If the securityManager is enabled, then a Jetty-specific system property also needs to be set to use it.
Ideally, Jetty would figure out whether SecurityManager is used automatically, and only use its own property as an override.
I'm not sure what's the best way to use this, this could be done by test calling Subject.getSubject() or similar, or checking the value of the "java.security.manager" system property directly.
It is also not immediately obvious to me why Java 21 is used as the cutover version, AFAICT related changes were made in Java 18 and 23.
How to reproduce?