SOLR-17641: Disable the Security Manager for Java 24+

apache · Jan 31, 2025 · 0b23888 · 0b23888
1 parent dac5fe1
commit 0b23888
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 2 deletions.
diff --git a/build.gradle b/build.gradle
@@ -35,6 +35,8 @@ plugins {
 }
 
 // Declare default Java versions for the entire project and for SolrJ separately
+rootProject.ext.currentJavaVersion = JavaVersion.current()
+rootProject.ext.minJavaVersionSolrJ = JavaVersion.toVersion(libs.versions.java.solrj.get())
 rootProject.ext.minJavaVersionDefault = JavaVersion.toVersion(libs.versions.java.min.get())
 rootProject.ext.minJavaVersionSolrJ = JavaVersion.toVersion(libs.versions.java.solrj.get())
 

diff --git a/gradle/testing/randomization.gradle b/gradle/testing/randomization.gradle
@@ -204,6 +204,10 @@ allprojects {
         if (project.ext.has("useSecurityManager")) {
           useSecurityManager = project.ext.get("useSecurityManager")
         }
+        // Solr does not run with the Security Mangager for Java 24+
+        if (rootProject.currentJavaVersion.compareTo(JavaVersion.VERSION_24) >= 0) {
+          useSecurityManager = false
+        }
         if (useSecurityManager) {
           def commonSolrDir = project(':solr').layout.projectDirectory
           def javaSecurityPolicy = layout.projectDirectory.file("${resources}/policies/solr-tests.policy")

diff --git a/solr/bin/solr b/solr/bin/solr
@@ -176,7 +176,7 @@ if [[ $? -ne 0 ]] ; then
   exit 1
 else
   JAVA_VER_NUM=$(echo "$JAVA_VER" | grep -v '_OPTIONS' | head -1 | awk -F '"' '/version/ {print $2}' | sed -e's/^1\.//' | sed -e's/[._-].*$//')
-  if [[ "$JAVA_VER_NUM" -lt "$JAVA_VER_REQ" ]] ; then
+  if (( JAVA_VER_NUM < JAVA_VER_REQ )) ; then
     echo >&2 "Your current version of Java is too old to run this version of Solr."
     echo >&2 "We found major version $JAVA_VER_NUM, using command '${JAVA} -version', with response:"
     echo >&2 "${JAVA_VER}"
@@ -1155,6 +1155,11 @@ else
   REMOTE_JMX_OPTS=()
 fi
 
+# Do not use the java security manager when running Java 24+
+if (( JAVA_VER_NUM >= 24 )) ; then
+    export SOLR_SECURITY_MANAGER_ENABLED="false"
+fi
+
 # Enable java security manager (allowing filesystem access and other things)
 if [ "${SOLR_SECURITY_MANAGER_ENABLED:-true}" == "true" ]; then
   SECURITY_MANAGER_OPTS=('-Djava.security.manager' \

diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd
@@ -94,7 +94,10 @@ IF NOT DEFINED SOLR_SSL_RELOAD_ENABLED (
   set "SOLR_SSL_RELOAD_ENABLED=true"
 )
 
-REM Enable java security manager by default (limiting filesystem access and other things)
+REM Enable java security manager by default for Java 23 and before (limiting filesystem access and other things)
+IF !JAVA_MAJOR_VERSION! GEQ "24" (
+  set SOLR_SECURITY_MANAGER_ENABLED=false
+)
 IF NOT DEFINED SOLR_SECURITY_MANAGER_ENABLED (
   set SOLR_SECURITY_MANAGER_ENABLED=true
 )

diff --git a/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc b/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc
@@ -67,6 +67,10 @@ It is always strongly recommended that you fully reindex your documents after a
 In Solr 8, it was possible to add docValues to a schema without re-indexing via `UninvertDocValuesMergePolicy`, an advanced/expert utility.
 Due to changes in Lucene 9, that isn't possible any more.
 
+== Solr 9.9
+=== Java Security Manager
+Java removed support for the Security Manager starting with Java 24, therefore Solr will disable the feature when run with Java 24 or later.
+
 == Solr 9.8
 === Configuration
 In solrconfig.xml, the `numVersionBuckets` and `versionBucketLockTimeoutMs` settings are now obsolete and ignored; a warning will be logged if specified.