Consider VM-configuration when determining if SecurityManager may be set

Since Java-12 users can configure a JVM to disallow the installation of a SecurityManager at runtime. The default value of the configuration has changed over the following versions and since Java-24 it's finally not possible anymore under any circumstances to install a SecurityManager at runtime (see JEP-486[1]). To quote from JEP-411[0]: """ Since Java 12, the end user has been able to prevent [dynamic installations of a Security Manager] by setting the system property java.security.manager to disallow on the command line (java -Djava.security.manager=disallow ...) -- this causes System::setSecurityManager to throw an UnsupportedOperationException. Starting in Java 18, the default value of java.security.manager will be disallow[...]. """ To determine if setting a SecurityManager is allowed, it's therefore not sufficient to just check the version of the running JVM, if it's a VM for Java-12 up to 23 (including). In case of the latter it has to be tested explicitly if setting a SecurityManager is supported. [0] - https://openjdk.org/jeps/411 [1] - https://openjdk.org/jeps/486
apache · Dec 15, 2024 · 550fff7 · 550fff7
1 parent 375b513
commit 550fff7
Showing 1 changed file with 22 additions and 5 deletions.
diff --git a/src/main/org/apache/tools/ant/util/SecurityManagerUtil.java b/src/main/org/apache/tools/ant/util/SecurityManagerUtil.java
@@ -25,7 +25,27 @@
  */
 public final class SecurityManagerUtil {
 
-    private static final boolean isJava18OrHigher = JavaEnvUtils.isAtLeastJavaVersion("18");
+    // Since Java-24 the securtiy-manager is always disabled, since 12 VM-arguments can disable it
+    private static final boolean isSetSecurityManagerAllowed = !JavaEnvUtils.isAtLeastJavaVersion("12")
+            || (!JavaEnvUtils.isAtLeastJavaVersion("24") && isSecurityManagerAllowed());
+
+    @SuppressWarnings({ "removal", "deprecation" })
+    private static boolean isSecurityManagerAllowed() {
+        try { // Try to set a dummy to provoke an UnsupportedOperationException if disallowed
+            SecurityManager original = System.getSecurityManager();
+            System.setSecurityManager(new SecurityManager() {
+                @Override
+                public void checkPermission(java.security.Permission perm) {
+                    // Permit everything, especially reseting the old security-manager
+                }
+            });
+            System.setSecurityManager(original); // restore original
+            return true;
+        } catch (UnsupportedOperationException e) {
+            return false; // security-manager is not allowed
+        }
+    }
+
     private static final boolean sysPropWarnOnSecMgrUsage =
             Boolean.getBoolean(MagicNames.WARN_SECURITY_MANAGER_USAGE);
 
@@ -34,10 +54,7 @@ public final class SecurityManagerUtil {
      * otherwise}
      */
     public static boolean isSetSecurityManagerAllowed() {
-        if (isJava18OrHigher) {
-            return false;
-        }
-        return true;
+        return isSetSecurityManagerAllowed;
     }
 
     /**