The Open JDK team has deprecated the Java Security Manager and indicated that it will be removed in a future release of Java. See https://openjdk.java.net/jeps/411. In an email thread titled "protecting security-sensitive operations on multi-tenant servers" on the firstname.lastname@example.org mailing list, Alan Bateman indicated that developers should containerize their applications instead.
This issue tracks work needed to remove Derby's references to the Java Security Manager.
At a minimum, the following work needs to be done:
o The tests should be adjusted so that they don't install a SecurityManager.
o References to the SecurityManager should be removed from product code.
o We should remove the SecurityManager section of the Derby Security Guide. In its place, we should recommend that developers containerize their Derby applications.