SOLR-17641: Disable the Security Manager for Java 24+

[HoustonPutman]

https://issues.apache.org/jira/browse/SOLR-17641

[uschindler]

I haven't tested the Windows code, but looks fine in general.

I will update Policeman Jenkins to latest Java 24 tomorrow. We may need changes in Lucene, too.

[epugh]

It's great that you made the disabling conditional on Java 24+. I wonder though if we are better served just removing it completely from Solr 10, regardless of version of Java?

[malliaridis]

I've tested the Windows script schanges, works fine.

Can't build the project though with JDK 24 (ea).

[madrob]

Agree with @epugh - isn't Security Manager all no-ops even with 21 (which IIRC is the minimum Java for Solr 10)

[HoustonPutman]

Agree with @epugh - isn't Security Manager all no-ops even with 21 (which IIRC is the minimum Java for Solr 10)

I've never heard that. Do you have a link for that?

[uschindler]

Agree with @epugh - isn't Security Manager all no-ops even with 21 (which IIRC is the minimum Java for Solr 10)

I've never heard that. Do you have a link for that?

No, it isn't. It's fully working in 21. It gets a noop in 24 (actually Access controller). In addition, you can't configure it anymore.

[dsmiley]

minor: Okay but arguably you didn't have to bother to say this. There's no action for the user to take. I don't think it's up to Solr to tell people what's coming/going/happening in the Java ecosystem.

[janhoy]

Copilot is of another opinion, see comment #3153 (comment)

[HoustonPutman]

#3284 already updated the tests, so this will mainly be for the startup scripts

[uschindler]

#3284 already updated the tests, so this will mainly be for the startup scripts

Sorry, I thought this PR was solved since long time... If you would like to remove the conflict, go ahead!

This PR still contains some additional code and should be removed. The 2line fix by Chris is much easier than the complex logic added here.

[HoustonPutman]

No worries at all. This had stalled because of concerns around security without the security manager. But since it's gone in newer JDK versions, that really doesn't matter for this ticket. Will update to remove the gradle changes.

[reneleonhardt]

No worries at all. This had stalled because of concerns around security without the security manager. But since it's gone in newer JDK versions, that really doesn't matter for this ticket. Will update to remove the gradle changes.

When will gradle 8.10.2 be updated (2024-09-23)? JDK 24 requires gradle 8.14:
https://github.com/apache/solr/blob/main/gradle/wrapper/gradle-wrapper.jar.version

[janhoy]

This just needs to be done.

Only comment I have is whether the start script or solr itself should log a WARN log about security mgr being disabled, and hint that Java21 may be an option for better security, until we put in place more protection in other ways?

[epugh]

I wonder if we really need to put in warnings? If I am on Java 24, then I'll never go back to 21. And 21 won't be an option in a period of time.

And if I care about security and have the ability to make a decision like use Java 21, then I already know that there is no security manager post 21.. I think putting in an open ended warning means that we'll be warning about something that there is not fix for. Java21 isn't a fix. And just makes us look weak/bad. Yeah, Solr on modern Java doesn't have a security manager. So does "Tika on modern Java". So does "Name your other big tool on monder Java".

[epugh]

I opened up #3406 as an alternative approach for main....

[janhoy]

Fixed merge conflict in this. I'm ok with merging this as is.

I tested running solr in Java 24, and without this fix (or explicitly disableing JSM) the start script will just spin and timeout, while the log prints

OpenJDK 64-Bit Server VM warning: -XX:+UseLargePages not supported in this VM
WARNING: Using incubator modules: jdk.incubator.vector
Error occurred during initialization of VM
java.lang.Error: A command line option has attempted to allow or enable the Security Manager. Enabling a Security Manager is not supported.
	at java.lang.System.initPhase3([email protected]/System.java:1947)

So this simple PR is a great Java24 compat fix, giving users a choice betwen JRE21 with JSM or JRE24 without.

[epugh]

Thanks for getting this to done!!

[github-actions]

This PR has had no activity for 60 days and is now labeled as stale. Any new activity will remove the stale label. To attract more reviewers, please tag people who might be familiar with the code area and/or notify the [email protected] mailing list. To exempt this PR from being marked as stale, make it a draft PR or add the label "exempt-stale". If left unattended, this PR will be closed after another 60 days of inactivity. Thank you for your contribution!

[reneleonhardt]

Despite encouraging comments discussions haven't been resolved, Gradle is still far too old to even build with JDK 24, and JDK 25 LTS will be released in 2 weeks... I have no hopes that this 7 months old contribution will be merged by then 😞

But probably no wonder with 272 open contributions and no free AI review helper like CodeRabbit enabled to shorten the feedback loop.

[janhoy]

I moved the change note to 9.10 section. @HoustonPutman do you want to land and backport this to 9x?

[reneleonhardt]

https://github.com/apache/solr/actions/runs/17370856332/job/49306132986?pr=3153

job: Run Solr Tests using Crave.io resources

Pulling container image accupara/openjdk:21...

WARNING: A command line option has enabled the Security Manager
WARNING: The Security Manager is deprecated and will be removed in a future release
java.security.policy: error adding Permission, java.net.URLPermission:
	java.util.ServiceConfigurationError: Locale provider adapter "CLDR"cannot be instantiated.

> Task :solr:solrj:wipeTaskTemp
ERROR: The following test(s) have failed:
  - org.apache.solr.bench.MiniClusterBenchStateTest.testMiniClusterState (:solr:benchmark)
    Test history: https://develocity.apache.org/scans/tests?search.rootProjectNames=solr-root&tests.container=org.apache.solr.bench.MiniClusterBenchStateTest&tests.test=testMiniClusterState http://fucit.org/solr-jenkins-reports/history-trend-of-recent-failures.html#series/org.apache.solr.bench.MiniClusterBenchStateTest.testMiniClusterState
    Test output: /tmp/src/solr/solr/benchmark/build/test-results/test/outputs/OUTPUT-org.apache.solr.bench.MiniClusterBenchStateTest.txt
    Reproduce with: ./gradlew :solr:benchmark:test --tests "org.apache.solr.bench.MiniClusterBenchStateTest.testMiniClusterState" "-Ptests.jvmargs=-XX:TieredStopAtLevel=1 -XX:+UseParallelGC -XX:ActiveProcessorCount=1 -XX:ReservedCodeCacheSize=120m" -Ptests.seed=7756808488807188 -Ptests.timeoutSuite=600000! -Ptests.useSecurityManager=true -Ptests.file.encoding=ISO-8859-1

  - org.apache.solr.bench.MiniClusterBenchStateTest (:solr:benchmark)
    Test history: https://develocity.apache.org/scans/tests?search.rootProjectNames=solr-root&tests.container=org.apache.solr.bench.MiniClusterBenchStateTest
    Test output: /tmp/src/solr/solr/benchmark/build/test-results/test/outputs/OUTPUT-org.apache.solr.bench.MiniClusterBenchStateTest.txt
    Reproduce with: ./gradlew :solr:benchmark:test --tests "org.apache.solr.bench.MiniClusterBenchStateTest" "-Ptests.jvmargs=-XX:TieredStopAtLevel=1 -XX:+UseParallelGC -XX:ActiveProcessorCount=1 -XX:ReservedCodeCacheSize=120m" -Ptests.seed=7756808488807188 -Ptests.timeoutSuite=600000! -Ptests.useSecurityManager=true -Ptests.file.encoding=ISO-8859-1


FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':solr:benchmark:test'.
> There were failing tests. See the results at: file:///tmp/src/solr/solr/benchmark/build/test-results/test/

BUILD FAILED in 3m 23s
144 actionable tasks: 140 executed, 4 up-to-date

[janhoy]

@reneleonhardt The org.apache.solr.bench.MiniClusterBenchStateTest.testMiniClusterState test failure is unrelated and being fixed elsewhere. It does not block this PR from being merged.

[janhoy]

I volunteer to merge this once tests passes.

[Copilot]

Pull Request Overview

This PR addresses Java 24+ compatibility by disabling the Security Manager feature, which was removed from Java 24. The change updates the Solr 9 upgrade documentation to inform users about this behavior change.

• Updates documentation to explain Security Manager handling for Java 24+

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[dsmiley]

Despite encouraging comments discussions haven't been resolved, Gradle is still far too old to even build with JDK 24,

Yes it is too old for JDK 24 but nonetheless it is only one year old, which isn't bad IMO. Someone will surely update it again before long.

But probably no wonder with 272 open contributions and no free AI review helper like CodeRabbit enabled to shorten the feedback loop.

There's GitHub CoPilot, and I intentionally activated its review in response to your remark. I'm not certain if contributors can self activate the review.

BTW that 272 number is large but it probably filled with automated dependency upgrades that we're working through.

[reneleonhardt]

Thank you for replying, contributors can't request CoPilot reviews if not enabled, for example the official documentation doesn't work here, you would have to check your personal, organization and repository settings.

https://docs.github.com/en/copilot/how-tos/use-copilot-agents/request-a-code-review/use-code-review
https://docs.github.com/en/copilot/how-tos/configure-custom-instructions/add-repository-instructions
https://github.blog/ai-and-ml/github-copilot/how-to-use-github-copilot-to-level-up-your-code-reviews-and-pull-requests/
https://docs.github.com/en/copilot/concepts/code-review
https://github.com/features/copilot

Asking the documentation:
"How to enable copilot reviews in open-source repositories?"

To enable GitHub Copilot reviews in open-source repositories, follow these steps:

1. Navigate to the main page of the repository on GitHub.
2. Under the repository name, click Settings. If you don't see the "Settings" tab, select the More dropdown menu, then click Settings.
3. In the left sidebar, under "Code and automation," click Rules, then click Rulesets.
4. Click New ruleset.
5. Click New branch ruleset.
6. Under "Ruleset name," type a name for the ruleset.
7. To activate the ruleset, under "Enforcement Status," select Active.
8. Under "Target branches," click Add target and choose an option like Include default branch or Include all branches.
9. Under "Branch rules," select the Require a pull request before merging checkbox. This expands additional options.
10. Select the Request pull request review from Copilot checkbox.
11. At the bottom of the page, click Create.

CodeRabbit is so much better:
https://docs.coderabbit.ai/guides/commands#manually-request-code-reviews%E2%80%8B

[uschindler]

P.S.: You don't need a new Gradle for testing/building with Java 24. Gradle should always run on the "base version" (ideally 21). To run tests with Java 24 or Java 25, just use RUNTIME_JAVA_HOME=.... environment variable. This is what Jenkins is doing.