[groovy#286] disable SecurityManager starting with Java 21

bmarwell · Oct 19, 2023 · 00244a7 · 00244a7
1 parent 53dbd48
commit 00244a7
Show file tree

Hide file tree

Showing 6 changed files with 147 additions and 7 deletions.
diff --git a/pom.xml b/pom.xml
@@ -263,6 +263,22 @@
             <compilerArg>-Xlint:all</compilerArg>
           </compilerArgs>
         </configuration>
+        <executions>
+          <execution>
+            <id>compile-java21</id>
+            <phase>compile</phase>
+            <goals>
+              <goal>compile</goal>
+            </goals>
+            <configuration>
+              <compileSourceRoots>
+                <compileSourceroot>${project.basedir}/src/main/java21</compileSourceroot>
+              </compileSourceRoots>
+              <!-- cannot use multireleaseOutput, because we are creating a Java 8 class file -->
+              <outputDirectory>${project.build.outputDirectory}/META-INF/versions/21</outputDirectory>
+            </configuration>
+          </execution>
+        </executions>
       </plugin>
       <plugin>
         <groupId>org.codehaus.plexus</groupId>
@@ -345,6 +361,13 @@
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-jar-plugin</artifactId>
         <version>3.3.0</version>
+        <configuration>
+          <archive>
+            <manifestEntries>
+              <Multi-Release>true</Multi-Release>
+            </manifestEntries>
+          </archive>
+        </configuration>
       </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>

diff --git a/src/main/java/org/codehaus/gmavenplus/mojo/ShellMojo.java b/src/main/java/org/codehaus/gmavenplus/mojo/ShellMojo.java
@@ -22,11 +22,13 @@
 import org.apache.maven.plugins.annotations.Parameter;
 import org.apache.maven.plugins.annotations.ResolutionScope;
 import org.codehaus.gmavenplus.model.internal.Version;
+import org.codehaus.gmavenplus.util.DefaultSecurityManagerSetter;
 import org.codehaus.gmavenplus.util.NoExitSecurityManager;
 
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.net.MalformedURLException;
+import org.codehaus.gmavenplus.util.SecurityManagerSetter;
 
 import static org.codehaus.gmavenplus.mojo.ExecuteMojo.GROOVY_4_0_0_RC_1;
 import static org.codehaus.gmavenplus.util.ReflectionUtils.findConstructor;
@@ -91,11 +93,10 @@ public void execute() throws MojoExecutionException {
         }
 
         if (groovyVersionSupportsAction()) {
-            final SecurityManager sm = System.getSecurityManager();
+            final SecurityManagerSetter securityManagerSetter = new DefaultSecurityManagerSetter(getLog(), this.allowSystemExits);
+
             try {
-                if (!allowSystemExits) {
-                    System.setSecurityManager(new NoExitSecurityManager());
-                }
+                securityManagerSetter.setNoExitSecurityManager();
 
                 // get classes we need with reflection
                 Class<?> shellClass = classWrangler.getClass(groovyAtLeast(GROOVY_4_0_0_ALPHA1) ? "org.apache.groovy.groovysh.Groovysh" : "org.codehaus.groovy.tools.shell.Groovysh");
@@ -122,9 +123,7 @@ public void execute() throws MojoExecutionException {
             } catch (InstantiationException e) {
                 throw new MojoExecutionException("Error occurred while instantiating a Groovy class from classpath.", e);
             } finally {
-                if (!allowSystemExits) {
-                    System.setSecurityManager(sm);
-                }
+                securityManagerSetter.revertToPreviousSecurityManager();
             }
         } else {
             getLog().error("Your Groovy version (" + classWrangler.getGroovyVersionString() + ") doesn't support running a shell. The minimum version of Groovy required is " + minGroovyVersion + ". Skipping shell startup.");

diff --git a/src/main/java/org/codehaus/gmavenplus/util/AbstractSecurityManagerSetter.java b/src/main/java/org/codehaus/gmavenplus/util/AbstractSecurityManagerSetter.java
@@ -0,0 +1,23 @@
+package org.codehaus.gmavenplus.util;
+
+import org.apache.maven.plugin.logging.Log;
+
+public abstract class AbstractSecurityManagerSetter implements SecurityManagerSetter{
+
+    private final boolean allowSystemExits;
+
+    private final Log log;
+
+    public AbstractSecurityManagerSetter(final Log log, final boolean allowSystemExits) {
+        this.log = log;
+        this.allowSystemExits = allowSystemExits;
+    }
+
+    protected boolean getAllowSystemExits() {
+        return allowSystemExits;
+    }
+
+    protected Log getLog() {
+        return log;
+    }
+}
diff --git a/src/main/java/org/codehaus/gmavenplus/util/DefaultSecurityManagerSetter.java b/src/main/java/org/codehaus/gmavenplus/util/DefaultSecurityManagerSetter.java
@@ -0,0 +1,46 @@
+package org.codehaus.gmavenplus.util;
+
+import java.util.concurrent.atomic.AtomicReference;
+import org.apache.maven.plugin.logging.Log;
+
+public class DefaultSecurityManagerSetter extends AbstractSecurityManagerSetter {
+
+    private final AtomicReference<SecurityManager> previousSecurityManager = new AtomicReference<>();
+
+    public DefaultSecurityManagerSetter(Log log, final boolean allowSystemExits) {
+        super(log, allowSystemExits);
+    }
+
+    @Override
+    public void setNoExitSecurityManager() {
+        if (this.getAllowSystemExits()) {
+            return;
+        }
+
+        this.previousSecurityManager.set(System.getSecurityManager());
+
+        getLog().warn("Setting a security manager is deprecated. Running this build with Java 21 or newer might result in different behaviour.");
+        System.setSecurityManager(new NoExitSecurityManager());
+    }
+
+    @Override
+    public void revertToPreviousSecurityManager() {
+        if (this.getAllowSystemExits()) {
+            return;
+        }
+
+        this.getPreviousSecurityManager().getAndUpdate((previousSecurityManager -> {
+            if (previousSecurityManager == null) {
+                return null;
+            }
+
+            System.setSecurityManager(previousSecurityManager);
+
+            return null;
+        }));
+    }
+
+    protected AtomicReference<SecurityManager> getPreviousSecurityManager() {
+        return previousSecurityManager;
+    }
+}
diff --git a/src/main/java/org/codehaus/gmavenplus/util/SecurityManagerSetter.java b/src/main/java/org/codehaus/gmavenplus/util/SecurityManagerSetter.java
@@ -0,0 +1,19 @@
+package org.codehaus.gmavenplus.util;
+
+/**
+ * Sets a custom security manager and returns the previous instance.
+ * Can also revert to the previous security Manager.
+ * <p>
+ * Implementation notice: For Java 21 and above,
+ * the implementation must be a no-op and issue a warning.
+ *
+ */
+public interface SecurityManagerSetter {
+
+    /**
+     * For Java until 20, this method should set the given Security manager if property {@code allowSystemExits} is set.
+     */
+    void setNoExitSecurityManager();
+
+    void revertToPreviousSecurityManager();
+}
diff --git a/src/main/java21/org/codehaus/gmavenplus/util/DefaultSecurityManagerSetter.java b/src/main/java21/org/codehaus/gmavenplus/util/DefaultSecurityManagerSetter.java
@@ -0,0 +1,30 @@
+package org.codehaus.gmavenplus.util;
+
+import java.util.concurrent.atomic.AtomicReference;
+import org.apache.maven.plugin.logging.Log;
+
+public class DefaultSecurityManagerSetter extends AbstractSecurityManagerSetter {
+
+    public DefaultSecurityManagerSetter(Log log, final boolean allowSystemExits) {
+        super(log, allowSystemExits);
+    }
+
+    @Override
+    public void setNoExitSecurityManager() {
+        if (this.getAllowSystemExits()) {
+            return;
+        }
+
+        getLog().warn("Setting a security manager is not supported starting with Java 21.");
+    }
+
+    @Override
+    public void revertToPreviousSecurityManager() {
+        if (this.getAllowSystemExits()) {
+            return;
+        }
+
+        getLog().warn("Setting a security manager is not supported starting with Java 21.");
+
+    }
+}