Moving away will be a long process, so it has to start soon. If people gradually start reducing their usage of the security manager now, they may be ready on time for when the next LTS is released.
Again, it's like fixing bugs in Applets and inviting users to move new code to Applets, when you know it's going away soon.
Â
Or are you telling me GlassFish will forbid usage of SM even as it releases EE 10 compatible version?
Well, indeed. The EE 10 TCK should probably make running with the security manager optional, and then GlassFish would indeed not necessarily pass anymore with the security manager enabled (as it's required now).
A similar thing was done with e.g. JSP support in Faces. We long ago knew it was going to be removed, so new features were explicitly not specified to be usable with JSP (even as there was technically no such barrier). Supporting JSP still would send the
wrong signal, as it was something we wanted to move people away from, not towards.
In order to make GlassFish run on JDK 18 I indeed had to remove some usages of the security manager already.
Â
Once JDK 18+ gets supported, I suppose we'll have to use an MR JAR (or maybe there is a better solution, haven't thought about it much) but until then, we are bound to support it somehow :-/
IFF EE 10 makes running with the security manager optional (and there was indeed discussion about this) then you may not be bound to that so much, at least not in new code (new version of products).