SOLR-17641: Disable the Security Manager when Java 24+ is detected (#3153)

HoustonPutman · janhoy · web-flow · commit 390e11d1bafa · 2025-09-10T09:57:36.000+02:00
Co-authored-by: Jan Høydahl &lt;janhoy@apache.org&gt;
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
@@ -242,6 +242,8 @@ Improvements
 * SOLR-17884: SolrJ users not using deprecated SolrClients can safely exclude Apache HttpClient dependencies.
   (David Smiley)
 
+* SOLR-17641: Solr is now able to start on Java 24 and later, but with Security Manager disabled (Houston Putman, Jan Høydahl)
+
 Optimizations
 ---------------------
 (No changes)
diff --git a/solr/bin/solr b/solr/bin/solr
@@ -176,7 +176,7 @@ if [[ $? -ne 0 ]] ; then
   exit 1
 else
   JAVA_VER_NUM=$(echo "$JAVA_VER" | grep -v '_OPTIONS' | head -1 | awk -F '"' '/version/ {print $2}' | sed -e's/^1\.//' | sed -e's/[._-].*$//')
-  if [[ "$JAVA_VER_NUM" -lt "$JAVA_VER_REQ" ]] ; then
+  if (( JAVA_VER_NUM < JAVA_VER_REQ )) ; then
     echo >&2 "Your current version of Java is too old to run this version of Solr."
     echo >&2 "We found major version $JAVA_VER_NUM, using command '${JAVA} -version', with response:"
     echo >&2 "${JAVA_VER}"
@@ -1137,6 +1137,11 @@ else
   REMOTE_JMX_OPTS=()
 fi
 
+# Do not use the java security manager when running Java 24+
+if (( JAVA_VER_NUM >= 24 )) ; then
+    export SOLR_SECURITY_MANAGER_ENABLED="false"
+fi
+
 # Enable java security manager (allowing filesystem access and other things)
 if [ "${SOLR_SECURITY_MANAGER_ENABLED:-true}" == "true" ]; then
   SECURITY_MANAGER_OPTS=('-Djava.security.manager' \
diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd
@@ -90,7 +90,10 @@ IF NOT DEFINED SOLR_SSL_RELOAD_ENABLED (
   set "SOLR_SSL_RELOAD_ENABLED=true"
 )
 
-REM Enable java security manager by default (limiting filesystem access and other things)
+REM Enable java security manager by default for Java 23 and before (limiting filesystem access and other things)
+IF !JAVA_MAJOR_VERSION! GEQ 24 (
+  set SOLR_SECURITY_MANAGER_ENABLED=false
+)
 IF NOT DEFINED SOLR_SECURITY_MANAGER_ENABLED (
   set SOLR_SECURITY_MANAGER_ENABLED=true
 )
diff --git a/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc b/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc
@@ -74,6 +74,10 @@ Due to changes in Lucene 9, that isn't possible any more.
 SolrJ users not using SolrClients that use Apache HttpClient can safely exclude those dependencies.
 SolrJ users not using SolrClients that use Jetty HttpClient can safely exclude those dependencies.
 
+=== Java Security Manager
+
+Java has removed support for the Security Manager starting with Java 24; therefore, Solr will disable this feature when run with Java 24 or later. Solr previously used the Security Manager to provide an additional layer of protection against unintended file system access, network access, and process execution. Users upgrading to Java 24 or later should review their security practices and consider alternative measures, such as running Solr in containers or implementing additional operating system-level controls.
+
 == Solr 9.9
 
 === SolrJ

Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,10 @@ IF NOT DEFINED SOLR_SSL_RELOAD_ENABLED (`
`90`	`90`	`set "SOLR_SSL_RELOAD_ENABLED=true"`
`91`	`91`	`)`
`92`	`92`
`93`		`-REM Enable java security manager by default (limiting filesystem access and other things)`
	`93`	`+REM Enable java security manager by default for Java 23 and before (limiting filesystem access and other things)`
	`94`	`+IF !JAVA_MAJOR_VERSION! GEQ 24 (`
	`95`	`+ set SOLR_SECURITY_MANAGER_ENABLED=false`
	`96`	`+)`
`94`	`97`	`IF NOT DEFINED SOLR_SECURITY_MANAGER_ENABLED (`
`95`	`98`	`set SOLR_SECURITY_MANAGER_ENABLED=true`
`96`	`99`	`)`