Twitter | Search | |
Sean Mullan
New "disallow" option proposed for the ".manager" system to improve performance for applications that don't use a SecurityManager:
Reply Retweet Like More
Sean Mullan Oct 2
Replying to @seanjmullan
Should say ".manager" system property ...
Reply Retweet Like
Norman Maurer Oct 2
Good one đź‘Ś
Reply Retweet Like
Nicolas Frankel Oct 2
Replying to @seanjmullan @java
But of course, there is no Java app running in production that *doesn’t* use the Security Manager. That would be a real security hole, wouldn’t it?
Reply Retweet Like
Julien Aubin Oct 3
It is probably more secure to use system restrictions like not running the app as root rather than relying on that cumbersome security manager. (Never saw Tomcat running with a security manager enabled). I'm speaking of serverside apps there.
Reply Retweet Like
Nicolas Frankel Oct 3
Never saw either. Doesn't mean it is a good idea... If you have 45 minutes to spare, please watch and let's chat again
Reply Retweet Like
Julien Aubin Oct 3
Such things can however lead to hard-to-debig situations abd this is why I relt more on a proper system setup, which is usually much easier to reproduce in dev environments. Apps on production servers are normally managed and trusted unlike client workstations.
Reply Retweet Like
Nicolas Frankel Oct 3
That's where we disagree. IMHO, you shouldn't trust your apps on production server
Reply Retweet Like
Julien Aubin Oct 3
I completely agree to restrict their permissions with system rights (including apparmor/selinux) and not running them as root, but don't want to create headaches to devs w/ a security manager. That's the point.
Reply Retweet Like
Nicolas Frankel Oct 3
Both are necessary
Reply Retweet Like
schrepfler Oct 3
Replying to @seanjmullan
We want our tail call optimization, the security manager can use some work to help that.
Reply Retweet Like