Do you use a SecurityManager?
By martin on Aug 30, 2006
A recent thread at TheServerSide.com discussed the use of a SecurityManager. Most people seem to be running without a SecurityManager, so I'd like to post an open question to the audience: do you use a SecurityManager, and if not, why? We'd like to know what we can do to make it easier/better?
Summing up the thread, some have two main reasons for not using a SecurityManager:
- Configuring permissions is difficult
- Turning on security affects performance
While others have use a SecurityManager because of:
- SecurityManagers (in EE) are often used just to enforce certain programming paradigms that are not necessarily security-specific (EJB's should not write to the file system, servlets should not spawn threads)
- SecurityManagers are especially needed if you're running untrusted code
- Even if you're only running trusted code, SecurityManagers can still be useful in preventing vulnerabilities caused by buggy software
I'll try to measure the performance impact of enabling a SecurityManager in Glassfish and post the results so we can start to look at improving the performance.