Merge pull request #5107 from BenjaminAmos/java-18-disable-securityma…

…nager Java 18 - do not set SecurityManager if unsupported
MovingBlocks · Sep 24, 2023 · 55f30ff · 55f30ff
2 parents 1ce6368 + aa43873
commit 55f30ff
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 17 deletions.
diff --git a/engine/src/main/java/org/terasology/engine/core/module/ModuleManager.java b/engine/src/main/java/org/terasology/engine/core/module/ModuleManager.java
@@ -272,8 +272,13 @@ private void setupSandbox() {
             permissionSet.grantPermission(new PropertyPermission("reactor.schedulers.defaultBoundedElasticQueueSize", "read"));
         }
 
-        Policy.setPolicy(new ModuleSecurityPolicy());
-        System.setSecurityManager(new ModuleSecurityManager());
+        if (Runtime.version().feature() < 18 || "allow".equals(System.getProperty("java.security.manager"))) {
+            Policy.setPolicy(new ModuleSecurityPolicy());
+            System.setSecurityManager(new ModuleSecurityManager());
+        } else {
+            logger.warn("SecurityManager is disabled starting with Java 18 - module sandbox functionality is limited!");
+            logger.warn("To enable SecurityManager, use the \"-Djava.security.manager=allow\" JVM option.");
+        }
     }
 
     /**

diff --git a/facades/PC/src/main/startScripts/unixStartScript.gsp b/facades/PC/src/main/startScripts/unixStartScript.gsp
@@ -169,13 +169,6 @@ save () {
 }
 APP_ARGS=`save "\$@"`
 
-# Terasology-specific changes - Re-enable SecurityManager on Java 18+
-# According to https://openjdk.org/jeps/223, this string is intentionally parsable.
-JAVA_VERSION=`java -fullversion 2>&1 | sed 's/.* //;s/"//;s/\\([0-9]*\\)\\..*/\\1/'`
-if [ \$JAVA_VERSION -gt 17 ]; then
-    DEFAULT_JVM_OPTS="\$DEFAULT_JVM_OPTS -Djava.security.manager=allow"
-fi
-
 # Collect all arguments for the java command, following the shell quoting and substitution rules
 eval set -- \$DEFAULT_JVM_OPTS \$JAVA_OPTS \$${optsEnvironmentVar} <% if ( appNameSystemProperty ) { %>"\"-D${appNameSystemProperty}=\$APP_BASE_NAME\"" <% } %> <% if ( mainClassName.startsWith('--module ') ) { %>--module-path "\"\$MODULE_PATH\"" <% } %>-jar lib/Terasology.jar "\$APP_ARGS"
 

diff --git a/facades/PC/src/main/startScripts/windowsStartScript.bat.gsp b/facades/PC/src/main/startScripts/windowsStartScript.bat.gsp
@@ -62,14 +62,6 @@ goto fail
 
 <% if ( mainClassName.startsWith('--module ') ) { %>set MODULE_PATH=$modulePath<% } %>
 
-@rem Terasology-specific changes - Re-enable SecurityManager on Java 18+
-@rem According to https://openjdk.org/jeps/223, this string is intentionally parsable.
-for /f "tokens=4 delims= " %%a in ('"%JAVA_EXE%" -fullversion 2^>^&1 1^>nul') do ( for /f "delims=." %%b in ('echo %%a') do set JAVA_VERSION="%%b" )
-set JAVA_VERSION=%JAVA_VERSION:"=%
-if %JAVA_VERSION% gtr 17 (
-    set DEFAULT_JVM_OPTS=%DEFAULT_JVM_OPTS% -Djava.security.manager=allow
-)
-
 @rem Execute ${applicationName}
 "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %${optsEnvironmentVar}% <% if ( appNameSystemProperty ) { %>"-D${appNameSystemProperty}=%APP_BASE_NAME%"<% } %> <% if ( mainClassName.startsWith('--module ') ) { %>--module-path "%MODULE_PATH%" <% } %>-jar lib\\Terasology.jar %*