Remove SecurityManager support

Closes spring-projectsgh-28213

Author: wilkinsona

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/condition/OnClassCondition.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
 
 package org.springframework.boot.autoconfigure.condition;
 
-import java.security.AccessControlException;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
@@ -78,12 +77,7 @@ private OutcomesResolver createOutcomesResolver(String[] autoConfigurationClasse
 			AutoConfigurationMetadata autoConfigurationMetadata) {
 		OutcomesResolver outcomesResolver = new StandardOutcomesResolver(autoConfigurationClasses, start, end,
 				autoConfigurationMetadata, getBeanClassLoader());
-		try {
-			return new ThreadedOutcomesResolver(outcomesResolver);
-		}
-		catch (AccessControlException ex) {
-			return outcomesResolver;
-		}
+		return new ThreadedOutcomesResolver(outcomesResolver);
 	}
 
 	@Override

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/servlet/JspTemplateAvailabilityProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,7 +17,6 @@
 package org.springframework.boot.autoconfigure.web.servlet;
 
 import java.io.File;
-import java.security.AccessControlException;
 
 import org.springframework.boot.autoconfigure.template.TemplateAvailabilityProvider;
 import org.springframework.core.env.Environment;
@@ -43,11 +42,7 @@ public boolean isTemplateAvailable(String view, Environment environment, ClassLo
 			if (resourceLoader.getResource(resourceName).exists()) {
 				return true;
 			}
-			try {
-				return new File("src/main/webapp", resourceName).exists();
-			}
-			catch (AccessControlException ex) {
-			}
+			return new File("src/main/webapp", resourceName).exists();
 		}
 		return false;
 	}

spring-boot-project/spring-boot-cli/src/main/java/org/springframework/boot/cli/compiler/ExtendedGroovyClassLoader.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,8 +23,6 @@
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLClassLoader;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.HashMap;
@@ -124,12 +122,11 @@ public InputStream getResourceAsStream(String name) {
 
 	@Override
 	public ClassCollector createCollector(CompilationUnit unit, SourceUnit su) {
-		InnerLoader loader = AccessController.doPrivileged(getInnerLoader());
-		return new ExtendedClassCollector(loader, unit, su);
+		return new ExtendedClassCollector(getInnerLoader(), unit, su);
 	}
 
-	private PrivilegedAction<InnerLoader> getInnerLoader() {
-		return () -> new InnerLoader(ExtendedGroovyClassLoader.this) {
+	private InnerLoader getInnerLoader() {
+		return new InnerLoader(ExtendedGroovyClassLoader.this) {
 
 			// Don't return URLs from the inner loader so that Tomcat only
 			// searches the parent. Fixes 'TLD skipped' issues

spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/restart/classloader/RestartClassLoader.java

@@ -20,8 +20,6 @@
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLClassLoader;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.security.ProtectionDomain;
 import java.util.Enumeration;
 
@@ -125,7 +123,7 @@ public URL findResource(String name) {
 		if (file.getKind() == Kind.DELETED) {
 			return null;
 		}
-		return AccessController.doPrivileged((PrivilegedAction<URL>) () -> createFileUrl(name, file));
+		return createFileUrl(name, file);
 	}
 
 	@Override
@@ -162,10 +160,8 @@ protected Class<?> findClass(String name) throws ClassNotFoundException {
 		if (file.getKind() == Kind.DELETED) {
 			throw new ClassNotFoundException(name);
 		}
-		return AccessController.doPrivileged((PrivilegedAction<Class<?>>) () -> {
-			byte[] bytes = file.getContents();
-			return defineClass(name, bytes, 0, bytes.length);
-		});
+		byte[] bytes = file.getContents();
+		return defineClass(name, bytes, 0, bytes.length);
 	}
 
 	@Override

spring-boot-project/spring-boot-docs/src/docs/asciidoc/features/spring-application.adoc

@@ -20,16 +20,16 @@ When your application starts, you should see something similar to the following
  =========|_|==============|___/=/_/_/_/
  :: Spring Boot ::   v{spring-boot-version}
 
-2021-02-03 10:33:25.224  INFO 17321 --- [           main] o.s.b.d.s.s.SpringApplicationExample    : Starting SpringApplicationExample using Java 1.8.0_232 on mycomputer with PID 17321 (/apps/myjar.jar started by pwebb)
-2021-02-03 10:33:25.226  INFO 17900 --- [           main] o.s.b.d.s.s.SpringApplicationExample    : No active profile set, falling back to default profiles: default
-2021-02-03 10:33:26.046  INFO 17321 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 8080 (http)
+2021-02-03 10:33:25.224  INFO 17900 --- [           main] o.s.b.d.s.s.SpringApplicationExample     : Starting SpringAppplicationExample using Java 17 on mycomputer with PID 17321 (/apps/myjar.jar started by pwebb)
+2021-02-03 10:33:25.226  INFO 17900 --- [           main] o.s.b.d.s.s.SpringApplicationExample     : No active profile set, falling back to default profiles: default
+2021-02-03 10:33:26.046  INFO 17900 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 8080 (http)
 2021-02-03 10:33:26.054  INFO 17900 --- [           main] o.apache.catalina.core.StandardService   : Starting service [Tomcat]
 2021-02-03 10:33:26.055  INFO 17900 --- [           main] org.apache.catalina.core.StandardEngine  : Starting Servlet engine: [Apache Tomcat/9.0.41]
 2021-02-03 10:33:26.097  INFO 17900 --- [           main] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext
 2021-02-03 10:33:26.097  INFO 17900 --- [           main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 821 ms
 2021-02-03 10:33:26.144  INFO 17900 --- [           main] s.tomcat.SampleTomcatApplication         : ServletContext initialized
 2021-02-03 10:33:26.376  INFO 17900 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port(s): 8080 (http) with context path ''
-2021-02-03 10:33:26.384  INFO 17900 --- [           main] o.s.b.d.s.s.SpringApplicationExample    : Started SampleTomcatApplication in 1.514 seconds (JVM running for 1.823)
+2021-02-03 10:33:26.384  INFO 17900 --- [           main] o.s.b.d.s.s.SpringApplicationExample     : Started SampleTomcatApplication in 1.514 seconds (JVM running for 1.823)
 ----
 
 

spring-boot-project/spring-boot-docs/src/docs/asciidoc/getting-started/system-requirements.adoc

@@ -1,6 +1,6 @@
 [[getting-started.system-requirements]]
 == System Requirements
-Spring Boot {spring-boot-version} requires https://www.java.com[Java 8] and is compatible up to and including Java 17.
+Spring Boot {spring-boot-version} requires https://www.java.com[Java 17].
 {spring-framework-docs}/[Spring Framework {spring-framework-version}] or above is also required.
 
 Explicit build support is provided for the following build tools:

spring-boot-project/spring-boot-tools/spring-boot-loader/src/main/java/org/springframework/boot/loader/LaunchedURLClassLoader.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,8 +23,6 @@
 import java.net.URL;
 import java.net.URLClassLoader;
 import java.net.URLConnection;
-import java.security.AccessController;
-import java.security.PrivilegedExceptionAction;
 import java.util.Enumeration;
 import java.util.function.Supplier;
 import java.util.jar.JarFile;
@@ -213,31 +211,23 @@ private void definePackageIfNecessary(String className) {
 	}
 
 	private void definePackage(String className, String packageName) {
-		try {
-			AccessController.doPrivileged((PrivilegedExceptionAction<Object>) () -> {
-				String packageEntryName = packageName.replace('.', '/') + "/";
-				String classEntryName = className.replace('.', '/') + ".class";
-				for (URL url : getURLs()) {
-					try {
-						URLConnection connection = url.openConnection();
-						if (connection instanceof JarURLConnection) {
-							JarFile jarFile = ((JarURLConnection) connection).getJarFile();
-							if (jarFile.getEntry(classEntryName) != null && jarFile.getEntry(packageEntryName) != null
-									&& jarFile.getManifest() != null) {
-								definePackage(packageName, jarFile.getManifest(), url);
-								return null;
-							}
-						}
-					}
-					catch (IOException ex) {
-						// Ignore
+		String packageEntryName = packageName.replace('.', '/') + "/";
+		String classEntryName = className.replace('.', '/') + ".class";
+		for (URL url : getURLs()) {
+			try {
+				URLConnection connection = url.openConnection();
+				if (connection instanceof JarURLConnection) {
+					JarFile jarFile = ((JarURLConnection) connection).getJarFile();
+					if (jarFile.getEntry(classEntryName) != null && jarFile.getEntry(packageEntryName) != null
+							&& jarFile.getManifest() != null) {
+						definePackage(packageName, jarFile.getManifest(), url);
+						return;
 					}
 				}
-				return null;
-			}, AccessController.getContext());
-		}
-		catch (java.security.PrivilegedActionException ex) {
-			// Ignore
+			}
+			catch (IOException ex) {
+				// Ignore
+			}
 		}
 	}
 

spring-boot-project/spring-boot-tools/spring-boot-loader/src/main/java/org/springframework/boot/loader/jar/JarFile.java

@@ -128,9 +128,7 @@ private JarFile(RandomAccessDataFile rootFile, String pathFromRoot, RandomAccess
 	private JarFile(RandomAccessDataFile rootFile, String pathFromRoot, RandomAccessData data, JarEntryFilter filter,
 			JarFileType type, Supplier<Manifest> manifestSupplier) throws IOException {
 		super(rootFile.getFile());
-		if (System.getSecurityManager() == null) {
-			super.close();
-		}
+		super.close();
 		this.rootFile = rootFile;
 		this.pathFromRoot = pathFromRoot;
 		CentralDirectoryParser parser = new CentralDirectoryParser();

spring-boot-project/spring-boot-tools/spring-boot-loader/src/main/java/org/springframework/boot/loader/jar/JarFileWrapper.java

@@ -40,9 +40,7 @@ class JarFileWrapper extends AbstractJarFile {
 	JarFileWrapper(JarFile parent) throws IOException {
 		super(parent.getRootJarFile().getFile());
 		this.parent = parent;
-		if (System.getSecurityManager() == null) {
-			super.close();
-		}
+		super.close();
 	}
 
 	@Override

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/SpringApplicationShutdownHook.java

@@ -16,7 +16,6 @@
 
 package org.springframework.boot;
 
-import java.security.AccessControlException;
 import java.util.Collections;
 import java.util.IdentityHashMap;
 import java.util.LinkedHashSet;
@@ -84,12 +83,7 @@ private void addRuntimeShutdownHookIfNecessary() {
 	}
 
 	void addRuntimeShutdownHook() {
-		try {
-			Runtime.getRuntime().addShutdownHook(new Thread(this, "SpringApplicationShutdownHook"));
-		}
-		catch (AccessControlException ex) {
-			// Not allowed in some environments
-		}
+		Runtime.getRuntime().addShutdownHook(new Thread(this, "SpringApplicationShutdownHook"));
 	}
 
 	@Override

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TomcatEmbeddedWebappClassLoader.java

@@ -82,7 +82,6 @@ private Class<?> findExistingLoadedClass(String name) {
 	}
 
 	private Class<?> doLoadClass(String name) throws ClassNotFoundException {
-		checkPackageAccess(name);
 		if ((this.delegate || filter(name, true))) {
 			Class<?> result = loadFromParent(name);
 			return (result != null) ? result : findClassIgnoringNotFound(name);
@@ -127,15 +126,4 @@ private Class<?> findClassIgnoringNotFound(String name) {
 		}
 	}
 
-	private void checkPackageAccess(String name) throws ClassNotFoundException {
-		if (this.securityManager != null && name.lastIndexOf('.') >= 0) {
-			try {
-				this.securityManager.checkPackageAccess(name.substring(0, name.lastIndexOf('.')));
-			}
-			catch (SecurityException ex) {
-				throw new ClassNotFoundException("Security Violation, attempt to use Restricted Class: " + name, ex);
-			}
-		}
-	}
-
 }