8268349: Provide clear run-time warnings about Security Manager deprecation

Reviewed-by: lancea, mullan, alanb
2025-08-28 07:14:30 +02:00 · 2021-06-22 02:06:59 +00:00 · 2021-06-22 02:06:59 +00:00 · ef4ba224c4
commit ef4ba224c4
parent 4099810b29
6 changed files with 144 additions and 75 deletions
--- a/src/java.base/share/classes/java/lang/System.java
+++ b/src/java.base/share/classes/java/lang/System.java
@ -44,14 +44,16 @@ import java.lang.reflect.Executable;
 import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
 import java.net.URI;
+import java.net.URL;
 import java.nio.charset.CharacterCodingException;
-import java.security.AccessControlContext;
-import java.security.ProtectionDomain;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.nio.channels.Channel;
 import java.nio.channels.spi.SelectorProvider;
 import java.nio.charset.Charset;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.CodeSource;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
@ -324,6 +326,16 @@ public final class System {
    private static native void setOut0(PrintStream out);
    private static native void setErr0(PrintStream err);

+    // Remember initial System.err. setSecurityManager() warning goes here
+    private static volatile @Stable PrintStream initialErrStream;
+
+    private static URL codeSource(Class<?> clazz) {
+        PrivilegedAction<ProtectionDomain> pa = clazz::getProtectionDomain;
+        @SuppressWarnings("removal")
+        CodeSource cs = AccessController.doPrivileged(pa).getCodeSource();
+        return (cs != null) ? cs.getLocation() : null;
+    }
+
    /**
     * Sets the system-wide security manager.
     *
@ -362,16 +374,29 @@ public final class System {
     *       method.
     */
    @Deprecated(since="17", forRemoval=true)
+    @CallerSensitive
    public static void setSecurityManager(@SuppressWarnings("removal") SecurityManager sm) {
        if (allowSecurityManager()) {
-            System.err.println("WARNING: java.lang.System::setSecurityManager" +
-                    " is deprecated and will be removed in a future release.");
+            var callerClass = Reflection.getCallerClass();
+            URL url = codeSource(callerClass);
+            final String source;
+            if (url == null) {
+                source = callerClass.getName();
+            } else {
+                source = callerClass.getName() + " (" + url + ")";
+            }
+            initialErrStream.printf("""
+                    WARNING: A terminally deprecated method in java.lang.System has been called
+                    WARNING: System::setSecurityManager has been called by %s
+                    WARNING: Please consider reporting this to the maintainers of %s
+                    WARNING: System::setSecurityManager will be removed in a future release
+                    """, source, callerClass.getName());
            implSetSecurityManager(sm);
        } else {
            // security manager not allowed
            if (sm != null) {
                throw new UnsupportedOperationException(
-                    "Runtime configured to disallow security manager");
+                    "The Security Manager is deprecated and will be removed in a future release");
            }
        }
    }
@ -2191,10 +2216,13 @@ public final class System {
        }

        if (needWarning) {
-            System.err.println("WARNING: The Security Manager is deprecated" +
-                    " and will be removed in a future release.");
+            System.err.println("""
+                    WARNING: A command line option has enabled the Security Manager
+                    WARNING: The Security Manager is deprecated and will be removed in a future release""");
        }

+        initialErrStream = System.err;
+
        // initializing the system class loader
        VM.initLevel(3);