Java deprecated the SecurityManager and associated APIs in Java 17 (JEP 411) and have continued to remove uses of it in subsequent releases, disabling it in Java 24 (JEP 486). To prepare for future removal, we should remove or minimize Clojure’s uses of it when we move to a release based on Java 17 or higher.

Known clean up:

• clojure.lang.RT includes several java.lang classes from the security API in the DEFAULT_IMPORTS map - SecurityManager, RuntimePermission, maybe others.

  • We should assess community impact of this, not sure how widely people are already relying on these imports. We could conditionally include these based on the JDK level vs just removing them.

• RT.makeClassLoader() uses the privileged action api, which is presumably no longer needs to do

  • Clean up