Skip to content

Remove SecurityManager support#456

Merged
lukaszlenart merged 1 commit intomainfrom
claude/issue-355-20251026-0532
Nov 7, 2025
Merged

Remove SecurityManager support#456
lukaszlenart merged 1 commit intomainfrom
claude/issue-355-20251026-0532

Conversation

@lukaszlenart
Copy link
Copy Markdown
Collaborator

@lukaszlenart lukaszlenart commented Oct 26, 2025

Removes SecurityManager references from the OGNL codebase.

Changes

  • Remove SecurityManager references from code comments in OgnlRuntime.java
  • Remove Google AppEngine SecurityManager documentation from README.md
  • Keep historical references in VersionNotes.md as part of release history

SecurityManager was deprecated in Java 17 and removed in Java 21. This change prepares the codebase for future Java versions.

Fixes #355

Generated with Claude Code

@claude
Copy link
Copy Markdown

claude bot commented Oct 26, 2025

Pull Request Review: Remove SecurityManager support

Summary

This PR removes deprecated SecurityManager references from the OGNL codebase in preparation for Java 21+ compatibility. The changes are minimal, focused, and appropriate for the stated goal.

Code Quality ✅

Strengths:

  • Minimal scope: Changes are conservative and targeted only at what's necessary
  • Backward compatibility preserved: No functional code changes, only documentation/comments updated
  • Clear intent: PR description clearly explains the motivation (Java 17 deprecation, Java 21 removal)
  • Proper historical preservation: Version notes are correctly left untouched to maintain release history

Code changes reviewed:

  1. README.md: Removed Google AppEngine SecurityManager workaround documentation (4 lines)
  2. OgnlRuntime.java: Updated 4 SecurityException catch block comments to remove SecurityManager references

Potential Issues ✅ None Found

Verified:

  • ✅ No actual SecurityManager API calls remain in codebase (System.getSecurityManager(), System.setSecurityManager())
  • ✅ Only comment updates in OgnlRuntime.java - no logic changes
  • ✅ Tests pass successfully (verified with mvn test)
  • ✅ Historical references appropriately preserved in docs/VersionNotes.md

Performance Considerations ✅ N/A

No performance impact - this PR only updates documentation and comments.

Security Concerns ✅ Positive Impact

This change improves the security posture by:

  • Removing references to a deprecated security mechanism that developers should not rely on
  • Preventing confusion about security features that won't exist in Java 21+
  • Aligning with modern Java security best practices

The removal of the AppEngine workaround documentation is appropriate since:

  1. SecurityManager is deprecated and will be removed
  2. Modern AppEngine environments don't require this workaround
  3. Keeping obsolete workarounds can lead to technical debt

Test Coverage ✅ Adequate

  • No new functionality added, so no new tests required
  • Existing test suite (607 tests) passes successfully
  • Changes are documentation-only, making test impact minimal

Alignment with CLAUDE.md Guidelines ✅

Per the project's development rules:

  • Backward Compatibility: Maintained - no API changes
  • Code Quality Standards: Follows existing patterns
  • Minimal Scope: Changes limited to what's necessary

Recommendations

Minor Suggestion

Consider adding a note in the PR description or migration guide about:

  • What users should do if they were relying on OgnlRuntime.setSecurityManager(null)
  • Modern alternatives for restricting OGNL execution (e.g., using MemberAccess restrictions)

However, this is optional since the SecurityManager approach was never the recommended security mechanism.

Verdict: APPROVED

This is a clean, well-scoped PR that appropriately removes deprecated SecurityManager references while preserving backward compatibility. The changes prepare the codebase for future Java versions without introducing any risks.

Fixes #355 as stated.

Review generated with assistance from Claude Code

@github-actions @lukaszlenart
Remove SecurityManager support
3544b99 
- Remove SecurityManager references from code comments in OgnlRuntime.java
- Remove Google AppEngine SecurityManager documentation from README.md
- Keep historical references in VersionNotes.md as part of release history

SecurityManager was deprecated in Java 17 and removed in Java 21.
This change prepares the codebase for future Java versions.

Fixes #355

Co-authored-by: Lukasz Lenart <[email protected]>
@lukaszlenart lukaszlenart force-pushed the claude/issue-355-20251026-0532 branch from c74f3c4 to 3544b99 Compare November 7, 2025 14:29
@lukaszlenart lukaszlenart marked this pull request as ready for review November 7, 2025 14:29
@lukaszlenart lukaszlenart enabled auto-merge (squash) November 7, 2025 14:29
@lukaszlenart lukaszlenart merged commit 67cfd4b into main Nov 7, 2025
3 checks passed
@lukaszlenart lukaszlenart deleted the claude/issue-355-20251026-0532 branch November 7, 2025 14:30
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Nov 7, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Remove support for SecurityManager

1 participant

@lukaszlenart