Maven Surefire

As discussed on IRC, this patch creates a surefire.policy with all permissions.

It's true that setting a java.security.manager (e.g Ashcroft) fails with Surefire e.g. when it goes to write system properties. But I don't think this patch does quite the right thing.

If you're intending to use something like Ashcroft (or any other security manager) you presumably WANT to be restricted by the security manager during your test; if you wanted all permissions, you wouldn't have turned on the security manager in the first place, right?

Dont know about Ashcroft and agree with your comment.
But the use case was defining a security manager without any policy. We need to handle this. WDYT?

Not supporting Ashcroft (or other alternative SecurityManagers) is blocking me from making sure that my coders write unit tests that follow the rules the project's set up (such as no Unit test is allowed to touch the filesystem, network, take longer than x milliseconds, ...). I've seen that jboss uses a maven profile to set jvm arguments like this:

profiles > profile > properites:
<surefire.jvm.args>-Djava.security.manager -Djava.security.policy=${policy.file} ${test.env}</surefire.jvm.args>

http://repository.jboss.org/maven2/org/jboss/security/jbosssx-parent/2.0.2.CR1/jbosssx-parent-2.0.2.CR1.pom

That forces one to rely on maven profiles. I had hoped this would work:

<project><build><plugins>
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<skip>true</skip>
</configuration>
<executions>
<execution>
<id>unit-tests</id>
<phase>test</phase>
<goals>
<goal>test</goal>
</goals>
<configuration>
<skip>false</skip>
<excludes>
<exclude>**/*IntegrationTest.java</exclude>
</excludes>
<systemProperties>
<property>
<name>java.security.manager</name>
<value>this.is.where.ashcroft.would.be.nice.or.some.other.UnitTestSecurityManager</value>
</property>
</systemProperties>
</configuration>
</execution>
<execution>
<id>integration-tests</id>
<phase>integration-test</phase>
<goals>
<goal>test</goal>
</goals>
<configuration>
<skip>false</skip>
<includes>
<include>**/*IntegrationTest.java</include>
</includes>
</configuration>
</execution>
</executions>
</plugin>

Another option of course would be to put tests that must run outside the Ashcroft security manager in another project. But it's sad to base that decision on the shortcomings of Surefire.

Fixed in r1102423

From the docs:

• Using a security manager (JUnit3 only)

As long as forkMode!=never and you use JUnit3, you can run your tests with a java security manager active.
The classname of the security manager must be sent as a system property variable to the JUnit3 provider.

JUnit4 uses mechanisms internally that are not compatible with the tested security managers and is not supported
by surefire.

---
[...]
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>${surefire.version}</version>
<configuration>
<systemPropertyVariables>
<surefire.security.manager>java.lang.SecurityManager</surefire.security.manager>
</systemPropertyVariables>
</configuration>
</plugin>
[...]
---

You can still also use the "jboss" method as described above, but you need no exceptions when running JUnit3 in this manner. If you want to run with TestNG/JUnit4 you probably have to use the policy file method.