users@glassfish.java.net

Re: Security Manager default

From: Allen Gilliland <Allen.T.Gilliland_at_Sun.COM>
Date: Wed, 15 Feb 2006 10:54:31 -0800

On Wed, 2006-02-15 at 10:04, Jerome Dochez wrote:
> As you may have heard, there has been a fair amount of discussions about
> the security manager role in GF.
>
> We have been considering turning it off by default. This is motivated by
> two factors :
>
> 1. performance : The server startup, deployment, administration is
> affected by the security manager. Worse, we internally ran some numbers
> on the runtime throughput and the security manager has also an impact.
>
> 2. third party libraries, ease of use : As I have documented in my blog
> (http://blogs.sun.com/dochez), running third party libraries like Spring
> is not as obvious as we would like. A significant number of applications
> expect more privilege than the default ones and changing the rights for
> an application is not portable, quite obscure and intimidating.
>
> We have considered several options but it seems that turning off the
> security manager is likely to satisfy most external users on GlassFish
> as well as give a nice performance boost. As it is only the default
> setting, users will have to ability to turn it back on with a per domain
> configuration. I have asked Kedar to look into ways of make the switch
> (on/off) as easy as possible.

I don't have a ton of experience with GF/Appserver, but I have been doing web development for quite a while and I would definitely say that the scrict security policy is one of the more annoying issues with the appserver today.

My feeling is that most software these days tends to default to a more feature rich and less secure mode after a fresh install. From there it is up to the user/admin to tune the app for better security if desired. I think looser security is expected by default, so this sounds like a good change to me.

my .02 cents anyways.

-- Allen

>
> Let me know if you see issues with this.
>
> Thanks, Jerome
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.