Java Security Topics

  • March 21, 2018

SecurityManager Survey Results

On February 5, 2018 we launched a survey to gather data on how applications and libraries use the SecurityManager. The results of the survey can now be seen online at https://www.surveymonkey.com/results/SM-PSJ6ZNMZ8/.

The survey was primarily targeted at developers. We were especially interested in understanding how the SecurityManager is used outside of applets and WebStart applications, which were use cases that were already well understood. We were also interested in the challenges associated with using the SecurityManager and ideas for improvement, and the reasons for implementing a custom SecurityManager.

We received 143 responses with a 63% completion rate.

Overall, the results were very interesting and helpful. Many responses were consistent with what we already thought, for example:

  • It is hard to determine what permissions are required
  • It is hard to configure a policy file
  • Many libraries are not SecurityManager-enabled
  • Some implement a custom SecurityManager for very specific reasons, such as to block System.exit()

However, some responses were surprising, for example:

  • Performance is not a significant concern for most people
  • Most applications enable the SecurityManager with System.setSecurityManager() (and not via the command-line)
  • A good portion (almost half) implement a custom SecurityManager

We will be looking over these results in more detail over the next few months. Keep an eye out for subsequent surveys and SecurityManager related topics as we go forward.


Sean Mullan
OpenJDK Security Group Lead

Join the discussion

Comments ( 1 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.