From ac73d39ce3b91fe7171723b175b64a83d203a555 Mon Sep 17 00:00:00 2001
From: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
Date: Mon, 18 Nov 2024 15:58:20 -0500
Subject: [PATCH 1/9] Set security manager only for JDK 18-23

Signed-off-by: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
---
 test/functional/testVars.mk | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/test/functional/testVars.mk b/test/functional/testVars.mk
index 27469a26584..7a208b109fc 100644
--- a/test/functional/testVars.mk
+++ b/test/functional/testVars.mk
@@ -20,12 +20,15 @@
 #  SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
 ##############################################################################
 
+# In JDK24+, java.security.manager the security manager is permanently disabled,
+# attempting to enable it will result in an error.
 # In JDK18+, java.security.manager == null behaves as -Djava.security.manager=disallow.
 # In JDK17-, java.security.manager == null behaves as -Djava.security.manager=allow.
 # For OpenJ9 tests to work as expected, -Djava.security.manager=allow behaviour is
 # needed in JDK18+.
-ifeq ($(filter 8 9 10 11 12 13 14 15 16 17, $(JDK_VERSION)),)
-  export JAVA_SECURITY_MANAGER = -Djava.security.manager=allow
-else
+
+ifeq ($(filter 21 23, $(JDK_VERSION)),)
   export JAVA_SECURITY_MANAGER =
+else
+  export JAVA_SECURITY_MANAGER = -Djava.security.manager=allow
 endif

From f94a9d0c5a06225e827fceaf744474a1c5419bb6 Mon Sep 17 00:00:00 2001
From: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
Date: Mon, 18 Nov 2024 15:59:27 -0500
Subject: [PATCH 2/9] Disable cmdLineTester_J9securityTests for 24+

Signed-off-by: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
---
 test/functional/cmdLineTests/J9security/playlist.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/functional/cmdLineTests/J9security/playlist.xml b/test/functional/cmdLineTests/J9security/playlist.xml
index b57c9f4cbda..9e8a87f2cac 100644
--- a/test/functional/cmdLineTests/J9security/playlist.xml
+++ b/test/functional/cmdLineTests/J9security/playlist.xml
@@ -66,7 +66,7 @@
 			<group>functional</group>
 		</groups>
 		<versions>
-			<version>11+</version>
+			<version>[11,23]</version>
 		</versions>
 		<impls>
 			<impl>openj9</impl>

From ea19538b06106455bb038efbc3152b1667424b45 Mon Sep 17 00:00:00 2001
From: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
Date: Mon, 18 Nov 2024 15:59:56 -0500
Subject: [PATCH 3/9] Disable cmdLineTester_ProxyFieldAccess for 24+

Signed-off-by: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
---
 test/functional/cmdLineTests/proxyFieldAccess/playlist.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/functional/cmdLineTests/proxyFieldAccess/playlist.xml b/test/functional/cmdLineTests/proxyFieldAccess/playlist.xml
index 56508017067..bf15bb4f578 100644
--- a/test/functional/cmdLineTests/proxyFieldAccess/playlist.xml
+++ b/test/functional/cmdLineTests/proxyFieldAccess/playlist.xml
@@ -70,7 +70,7 @@
 			<impl>ibm</impl>
 		</impls>
 		<versions>
-			<version>11+</version>
+			<version>[11,23]</version>
 		</versions>
 	</test>
 </playlist>

From 9e0494f8c14a3d7875694890b6d2fceff3643e4b Mon Sep 17 00:00:00 2001
From: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
Date: Mon, 18 Nov 2024 16:02:14 -0500
Subject: [PATCH 4/9] Split DataHelperTests reliant on the security manager

to a different job and exclude from 24+.

Signed-off-by: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
---
 .../DataHelperTests/DataHelperTests.xml       |  33 +-----
 .../DataHelperTests_SecurityManager.xml       | 100 ++++++++++++++++++
 .../DataHelperTests/playlist.xml              |  37 +++++++
 3 files changed, 138 insertions(+), 32 deletions(-)
 create mode 100644 test/functional/cmdLineTests/shareClassTests/DataHelperTests/DataHelperTests_SecurityManager.xml

diff --git a/test/functional/cmdLineTests/shareClassTests/DataHelperTests/DataHelperTests.xml b/test/functional/cmdLineTests/shareClassTests/DataHelperTests/DataHelperTests.xml
index 444e6daf041..52ff13aadb3 100644
--- a/test/functional/cmdLineTests/shareClassTests/DataHelperTests/DataHelperTests.xml
+++ b/test/functional/cmdLineTests/shareClassTests/DataHelperTests/DataHelperTests.xml
@@ -61,10 +61,7 @@
 	<exec command="$JAVA_EXE$ -version" quiet="false"/>
 	
 	<variable name="BOOTCP" value=" "/>
-	<variable name="SECURITY_ON" value="-Djava.security.policy==java.good.policy -Djava.security.manager"/>
-	<variable name="SECURITY_ON_READONLY_BADPOLICY" value="-Djava.security.policy==java.bad.readonly.policy -Djava.security.manager"/>
-	<variable name="SECURITY_ON_WRITEONLY_BADPOLICY" value="-Djava.security.policy==java.bad.writeonly.policy -Djava.security.manager"/>
-	
+
 	<exec command="$JAVA_EXE$ -Xshareclasses:destroyAll" quiet="false"/>
 	
 	<test id="check the datacaching classloader is ok" timeout="600" runPath=".">
@@ -82,26 +79,6 @@
 		<output type="failure" caseSensitive="no" regex="no">exception:</output>
 		<output type="failure" caseSensitive="yes" regex="no">Processing dump event</output>
 	</test>
-
-	<test id="simple caching of a resource, with security on" timeout="600" runPath=".">
-		<command>$JAVA_EXE$ $currentMode$ $SECURITY_ON$ $BOOTCP$ -classpath . apitesting.datahelper.DataCachingTest02</command>
-		<output type="success" caseSensitive="yes" regex="no">test successful</output>
-		<output type="failure" caseSensitive="no" regex="no">failed</output>
-		<output type="failure" caseSensitive="no" regex="no">exception:</output>
-		<output type="failure" caseSensitive="yes" regex="no">Processing dump event</output>
-	</test>
-	
-	<test id="simple caching of a resource, with security on but readonly policy" timeout="600" runPath=".">
-		<command>$JAVA_EXE$ $currentMode$,verboseHelper $BOOTCP$ -classpath . $SECURITY_ON_READONLY_BADPOLICY$ apitesting.datahelper.DataCachingTest02</command>
-		<output type="success" caseSensitive="yes" regex="no">storeSharedData('fileone.txt',...) has failed!</output>
-		<output type="failure" caseSensitive="yes" regex="no">Processing dump event</output>
-	</test>
-	
-	<test id="simple caching of a resource, with security on but writeonly policy" timeout="600" runPath=".">
-		<command>$JAVA_EXE$ $currentMode$,verboseHelper $BOOTCP$ -classpath . $SECURITY_ON_WRITEONLY_BADPOLICY$ apitesting.datahelper.DataCachingTest02</command>
-		<output type="success" caseSensitive="yes" regex="no">should have found the resource but no data retrieved</output>
-		<output type="failure" caseSensitive="yes" regex="no">Processing dump event</output>
-	</test>
 	
 	<test id="caching of multiple resources" timeout="600" runPath=".">
 		<command>$JAVA_EXE$ $currentMode$ $BOOTCP$ -classpath . apitesting.datahelper.DataCachingTest03</command>
@@ -110,14 +87,6 @@
 		<output type="failure" caseSensitive="no" regex="no">exception:</output>
 		<output type="failure" caseSensitive="yes" regex="no">Processing dump event</output>
 	</test>
-
-	<test id="caching of multiple resources, security on" timeout="600" runPath=".">
-		<command>$JAVA_EXE$ $currentMode$ $SECURITY_ON$ $BOOTCP$ -classpath . apitesting.datahelper.DataCachingTest03</command>
-		<output type="success" caseSensitive="yes" regex="no">test successful</output>
-		<output type="failure" caseSensitive="no" regex="no">failed</output>
-		<output type="failure" caseSensitive="no" regex="no">exception:</output>
-		<output type="failure" caseSensitive="yes" regex="no">Processing dump event</output>
-	</test>
 	
 	<test id="marking cache entries stale for bytedata resources" timeout="600" runPath=".">
 		<command>$JAVA_EXE$ $currentMode$ $BOOTCP$ -classpath . apitesting.datahelper.DataCachingTest04</command>
diff --git a/test/functional/cmdLineTests/shareClassTests/DataHelperTests/DataHelperTests_SecurityManager.xml b/test/functional/cmdLineTests/shareClassTests/DataHelperTests/DataHelperTests_SecurityManager.xml
new file mode 100644
index 00000000000..8748810f68a
--- /dev/null
+++ b/test/functional/cmdLineTests/shareClassTests/DataHelperTests/DataHelperTests_SecurityManager.xml
@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+
+<!--
+  Copyright IBM Corp. and others 2024
+
+  This program and the accompanying materials are made available under
+  the terms of the Eclipse Public License 2.0 which accompanies this
+  distribution and is available at https://www.eclipse.org/legal/epl-2.0/
+  or the Apache License, Version 2.0 which accompanies this distribution and
+  is available at https://www.apache.org/licenses/LICENSE-2.0.
+
+  This Source Code may also be made available under the following
+  Secondary Licenses when the conditions for such availability set
+  forth in the Eclipse Public License, v. 2.0 are satisfied: GNU
+  General Public License, version 2 with the GNU Classpath
+  Exception [1] and GNU General Public License, version 2 with the
+  OpenJDK Assembly Exception [2].
+
+  [1] https://www.gnu.org/software/classpath/license.html
+  [2] https://openjdk.org/legal/assembly-exception.html
+
+  SPDX-License-Identifier: EPL-2.0 OR Apache-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0 OR GPL-2.0-only WITH OpenJDK-assembly-exception-1.0
+-->
+
+<!DOCTYPE suite SYSTEM "cmdlinetester.dtd">
+<suite id="Shared Classes DataCaching Helper API tests with SecurityManager">
+
+	<variable name="TESTCACHENAME" value="testCache"/>
+
+	<!-- Used to set which mode the test cases are run in -->
+	<variable name="currentMode" value="-Xshareclasses:reset,name=$TESTCACHENAME$"/>
+
+	<variable name="mode204" value="-Xshareclasses:reset,name=$TESTCACHENAME$"/>
+	<variable name="mode205" value="-Xshareclasses:reset,name=$TESTCACHENAME$,noClasspathCacheing"/>
+	<variable name="mode208" value="-Xshareclasses:reset,name=$TESTCACHENAME$,noaot"/>
+	<variable name="mode209" value="-Xaot:forceAOT,count=0 -Xshareclasses:reset,name=$TESTCACHENAME$"/>
+	<variable name="mode210" value="-Xits0 -Xshareclasses:reset,name=$TESTCACHENAME$"/>
+	<variable name="mode211" value="-Xits2000 -Xshareclasses:reset,name=$TESTCACHENAME$"/>
+	<variable name="mode212" value="-Xits50000 -Xshareclasses:reset,name=$TESTCACHENAME$"/>
+	<variable name="mode213" value="-Xshareclasses:reset,name=$TESTCACHENAME$,noReduceStoreContention"/>
+	<variable name="mode214" value="-Xshareclasses:reset,name=$TESTCACHENAME$,modified=context1"/>
+
+	<variable name="currentMode" value="$mode204$"/>
+
+	<!-- set currentMode variable depending on the value of loopIndex -->
+	<if testVariable="SCMODE" testValue="204" resultVariable="currentMode" resultValue="$mode204$"/>
+	<if testVariable="SCMODE" testValue="205" resultVariable="currentMode" resultValue="$mode205$"/>
+	<if testVariable="SCMODE" testValue="206" resultVariable="currentMode" resultValue="$mode206$"/>
+	<if testVariable="SCMODE" testValue="208" resultVariable="currentMode" resultValue="$mode208$"/>
+	<if testVariable="SCMODE" testValue="209" resultVariable="currentMode" resultValue="$mode209$"/>
+	<if testVariable="SCMODE" testValue="210" resultVariable="currentMode" resultValue="$mode210$"/>
+	<if testVariable="SCMODE" testValue="211" resultVariable="currentMode" resultValue="$mode211$"/>
+	<if testVariable="SCMODE" testValue="212" resultVariable="currentMode" resultValue="$mode212$"/>
+	<if testVariable="SCMODE" testValue="213" resultVariable="currentMode" resultValue="$mode213$"/>
+	<if testVariable="SCMODE" testValue="214" resultVariable="currentMode" resultValue="$mode214$"/>
+
+	<echo value=" "/>
+	<echo value="#######################################################"/>
+	<echo value="Running tests with command line options: $currentMode$"/>
+	<echo value=" "/>
+	<exec command="$JAVA_EXE$ -version" quiet="false"/>
+
+	<variable name="BOOTCP" value=" "/>
+	<variable name="SECURITY_ON" value="-Djava.security.policy==java.good.policy -Djava.security.manager"/>
+	<variable name="SECURITY_ON_READONLY_BADPOLICY" value="-Djava.security.policy==java.bad.readonly.policy -Djava.security.manager"/>
+	<variable name="SECURITY_ON_WRITEONLY_BADPOLICY" value="-Djava.security.policy==java.bad.writeonly.policy -Djava.security.manager"/>
+
+	<exec command="$JAVA_EXE$ -Xshareclasses:destroyAll" quiet="false"/>
+
+	<test id="simple caching of a resource, with security on" timeout="600" runPath=".">
+		<command>$JAVA_EXE$ $currentMode$ $SECURITY_ON$ $BOOTCP$ -classpath . apitesting.datahelper.DataCachingTest02</command>
+		<output type="success" caseSensitive="yes" regex="no">test successful</output>
+		<output type="failure" caseSensitive="no" regex="no">failed</output>
+		<output type="failure" caseSensitive="no" regex="no">exception:</output>
+		<output type="failure" caseSensitive="yes" regex="no">Processing dump event</output>
+	</test>
+
+	<test id="simple caching of a resource, with security on but readonly policy" timeout="600" runPath=".">
+		<command>$JAVA_EXE$ $currentMode$,verboseHelper $BOOTCP$ -classpath . $SECURITY_ON_READONLY_BADPOLICY$ apitesting.datahelper.DataCachingTest02</command>
+		<output type="success" caseSensitive="yes" regex="no">storeSharedData('fileone.txt',...) has failed!</output>
+		<output type="failure" caseSensitive="yes" regex="no">Processing dump event</output>
+	</test>
+
+	<test id="simple caching of a resource, with security on but writeonly policy" timeout="600" runPath=".">
+		<command>$JAVA_EXE$ $currentMode$,verboseHelper $BOOTCP$ -classpath . $SECURITY_ON_WRITEONLY_BADPOLICY$ apitesting.datahelper.DataCachingTest02</command>
+		<output type="success" caseSensitive="yes" regex="no">should have found the resource but no data retrieved</output>
+		<output type="failure" caseSensitive="yes" regex="no">Processing dump event</output>
+	</test>
+
+	<test id="caching of multiple resources, security on" timeout="600" runPath=".">
+		<command>$JAVA_EXE$ $currentMode$ $SECURITY_ON$ $BOOTCP$ -classpath . apitesting.datahelper.DataCachingTest03</command>
+		<output type="success" caseSensitive="yes" regex="no">test successful</output>
+		<output type="failure" caseSensitive="no" regex="no">failed</output>
+		<output type="failure" caseSensitive="no" regex="no">exception:</output>
+		<output type="failure" caseSensitive="yes" regex="no">Processing dump event</output>
+	</test>
+
+	<exec command="$JAVA_EXE$ -Xshareclasses:destroyAll" quiet="false"/>
+
+</suite>
diff --git a/test/functional/cmdLineTests/shareClassTests/DataHelperTests/playlist.xml b/test/functional/cmdLineTests/shareClassTests/DataHelperTests/playlist.xml
index 66b60677932..e8b66ef6d79 100644
--- a/test/functional/cmdLineTests/shareClassTests/DataHelperTests/playlist.xml
+++ b/test/functional/cmdLineTests/shareClassTests/DataHelperTests/playlist.xml
@@ -56,4 +56,41 @@
 			<impl>ibm</impl>
 		</impls>
 	</test>
+
+	<test>
+		<testCaseName>cmdLineTester_DataHelperTests_SecurityManager</testCaseName>
+		<variations>
+			<variation>Mode110</variation>
+			<variation>Mode610</variation>
+		</variations>
+		<command>cp $(Q)$(TEST_RESROOT)$(D)DataHelperTests.jar$(Q) .; \
+	$(Q)$(TEST_JDK_HOME)$(D)bin$(D)jar$(EXECUTABLE_SUFFIX)$(Q) xf DataHelperTests.jar; \
+	$(CONVERT_TO_EBCDIC_CMD) \
+	$(CD) $(Q)$(REPORTDIR_NQ)$(D)datacaching$(D)dataone.contents$(Q); $(Q)$(TEST_JDK_HOME)$(D)bin$(D)jar$(EXECUTABLE_SUFFIX)$(Q) cf dataone.jar *.txt; $(CD) $(Q)..$(D)..$(D)$(Q); \
+	$(CD) $(Q)$(REPORTDIR_NQ)$(D)datacaching$(D)datatwo.contents$(Q); $(Q)$(TEST_JDK_HOME)$(D)bin$(D)jar$(EXECUTABLE_SUFFIX)$(Q) cf datatwo.jar *.txt; $(CD) $(Q)..$(D)..$(D)$(Q); \
+	mv $(Q)$(REPORTDIR_NQ)$(D)datacaching$(D)dataone.contents$(D)dataone.jar$(Q) $(Q)$(REPORTDIR_NQ)$(D)datacaching$(Q); \
+	mv $(Q)$(REPORTDIR_NQ)$(D)datacaching$(D)datatwo.contents$(D)datatwo.jar$(Q) $(Q)$(REPORTDIR_NQ)$(D)datacaching$(Q); \
+	$(JAVA_COMMAND) $(CMDLINETESTER_JVM_OPTIONS) -DJAVA_EXE=$(SQ)$(JAVA_COMMAND) $(JVM_OPTIONS)$(SQ) -DCPDL=$(Q)$(P)$(Q) -DSCMODE=204 -DTEST_JVM_OPTIONS=$(Q)$(JVM_OPTIONS)$(Q) \
+	-jar $(CMDLINETESTER_JAR) \
+	-config $(Q)$(TEST_RESROOT)$(D)DataHelperTests_SecurityManager.xml$(Q) -xids all,$(JDK_VERSION) -xlist $(Q)$(TEST_RESROOT)$(D)exclude.xml$(Q) \
+	-nonZeroExitWhenError \
+	-outputLimit 300; \
+	$(TEST_STATUS)</command>
+		<versions>
+			<version>[8,23]</version>
+		</versions>
+		<levels>
+			<level>sanity</level>
+		</levels>
+		<groups>
+			<group>functional</group>
+		</groups>
+		<features>
+			<feature>AOT:explicit</feature>
+		</features>
+		<impls>
+			<impl>openj9</impl>
+			<impl>ibm</impl>
+		</impls>
+	</test>
 </playlist>

From 924efa6ba3e9bc036e0544fdc20578240b22f71f Mon Sep 17 00:00:00 2001
From: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
Date: Mon, 18 Nov 2024 16:03:56 -0500
Subject: [PATCH 5/9] Update criu_nonPortable SecurityManager error for 24+

Signed-off-by: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
---
 test/functional/cmdLineTests/criu/criu_nonPortable.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/functional/cmdLineTests/criu/criu_nonPortable.xml b/test/functional/cmdLineTests/criu/criu_nonPortable.xml
index 18b6ae70365..88a6ef9f1d4 100644
--- a/test/functional/cmdLineTests/criu/criu_nonPortable.xml
+++ b/test/functional/cmdLineTests/criu/criu_nonPortable.xml
@@ -464,6 +464,7 @@
   </test>
   <test id="Test setting SecurityManager via -Djava.security.manager">
     <command>bash $SCRIPPATH$ $TEST_RESROOT$ $JAVA_COMMAND$ "$JVM_OPTIONS$" $OPTION_SET_SECURITYMANAGER$ $MAINCLASS_TEST_SECURITYMANAGER$ setSMCommandOption 1 false false</command>
+    <output type="success" caseSensitive="no" regex="no">java/lang/Error: A command line option has attempted to allow or enable the Security Manager. Enabling a Security Manager is not supported.</output>
     <output type="success" caseSensitive="no" regex="no">UnsupportedOperationException: Enabling a SecurityManager currently unsupported</output>
     <output type="failure" caseSensitive="yes" regex="no">TEST FAILED</output>
     <output type="failure" caseSensitive="yes" regex="no">CRIU is not enabled</output>

From 7eeb61eab803005696e378277a03ea3b96763d24 Mon Sep 17 00:00:00 2001
From: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
Date: Fri, 22 Nov 2024 15:43:37 -0500
Subject: [PATCH 6/9] Don't fail on TestAttachAPI SecurityException for 24

Signed-off-by: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
---
 .../src/org/openj9/test/attachAPI/TestAttachAPI.java | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/test/functional/Java8andUp/src/org/openj9/test/attachAPI/TestAttachAPI.java b/test/functional/Java8andUp/src/org/openj9/test/attachAPI/TestAttachAPI.java
index 76f832c55a3..4ab00f093a5 100644
--- a/test/functional/Java8andUp/src/org/openj9/test/attachAPI/TestAttachAPI.java
+++ b/test/functional/Java8andUp/src/org/openj9/test/attachAPI/TestAttachAPI.java
@@ -37,6 +37,7 @@
 
 import org.openj9.test.util.PlatformInfo;
 import org.openj9.test.util.StringPrintStream;
+import org.openj9.test.util.VersionCheck;
 import org.testng.AssertJUnit;
 import org.testng.annotations.AfterMethod;
 import org.testng.annotations.BeforeMethod;
@@ -1104,8 +1105,15 @@ public void test_attachperm04_05() {
 		try {
 			ap.checkGuard(this);
 		} catch (SecurityException unwantedException) {
-			fail("attachperm04: checkGuard: unexpected exception: "
-					+ unwantedException.getMessage());
+			String m = unwantedException.getMessage();
+			if (VersionCheck.major() >= 24
+				&& m.contains("checking permissions is not supported")
+			) {
+				return;
+			} else {
+				fail("attachperm04: checkGuard: unexpected exception: "
+						+ unwantedException.getMessage());
+			}
 		}
 		String testString = ap.toString();
 		assertTrue(

From 730f00c510d565874b6e94278f9052d2db3ce559 Mon Sep 17 00:00:00 2001
From: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
Date: Fri, 22 Nov 2024 15:44:45 -0500
Subject: [PATCH 7/9] java.security comment update and exclude helper methods

Signed-off-by: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
---
 .../share/classes/java/lang/Class.java        |   9 +-
 .../java/security/AccessControlContext.java   |  10 ++
 .../java/security/AccessController.java       | 112 +++++++++++++-----
 runtime/jcl/common/acccont.c                  |   2 +
 runtime/jcl/common/java_lang_Class.cpp        |  14 ++-
 runtime/oti/j9nonbuilder.h                    |   4 +
 6 files changed, 114 insertions(+), 37 deletions(-)

diff --git a/jcl/src/java.base/share/classes/java/lang/Class.java b/jcl/src/java.base/share/classes/java/lang/Class.java
index f79ef1fe2a1..7f8cda65205 100644
--- a/jcl/src/java.base/share/classes/java/lang/Class.java
+++ b/jcl/src/java.base/share/classes/java/lang/Class.java
@@ -3046,7 +3046,9 @@ public boolean desiredAssertionStatus() {
  * array of not more than maxDepth Classes representing the classes of
  * running methods on the stack (including native methods).  Frames
  * representing the VM implementation of java.lang.reflect are not included
- * in the list.  If stopAtPrivileged is true, the walk will terminate at any
+ * in the list.
+/*[IF JAVA_SPEC_VERSION < 24]
+ * If stopAtPrivileged is true, the walk will terminate at any
  * frame running one of the following methods:
  *
  * <code><ul>
@@ -3057,6 +3059,7 @@ public boolean desiredAssertionStatus() {
  * </ul></code>
  *
  * If one of the doPrivileged methods is found, the walk terminate and that frame is NOT included in the returned array.
+/*[ENDIF] JAVA_SPEC_VERSION < 24
  *
  * Notes: <ul>
  * 	 <li> This method operates on the defining classes of methods on stack.
@@ -3067,7 +3070,11 @@ public boolean desiredAssertionStatus() {
  *</ul>
  *
  * @param 		maxDepth			maximum depth to walk the stack, -1 for the entire stack
+/*[IF JAVA_SPEC_VERSION >= 24]
+ * @param 		stopAtPrivileged	has no effect
+/*[ELSE] JAVA_SPEC_VERSION >= 24
  * @param 		stopAtPrivileged	stop at privileged classes
+/*[ENDIF] JAVA_SPEC_VERSION >= 24
  * @return		the array of the most recent classes on the stack
  */
 @CallerSensitive
diff --git a/jcl/src/java.base/share/classes/java/security/AccessControlContext.java b/jcl/src/java.base/share/classes/java/security/AccessControlContext.java
index 9684bff2300..25a5f6272da 100644
--- a/jcl/src/java.base/share/classes/java/security/AccessControlContext.java
+++ b/jcl/src/java.base/share/classes/java/security/AccessControlContext.java
@@ -722,6 +722,13 @@ private boolean debugHelper(Permission perm) {
 }
 
 /**
+/*[IF JAVA_SPEC_VERSION >= 24]
+ * Throws java.security.AccessControlException
+ *
+ * @param       perm is ignored
+ * @exception	java.security.AccessControlException
+ * 					is always thrown
+/*[ELSE] JAVA_SPEC_VERSION >= 24
  * Checks if the permission <code>perm</code> is allowed in this context.
  * All ProtectionDomains must grant the permission for it to be granted.
  *
@@ -731,6 +738,7 @@ private boolean debugHelper(Permission perm) {
  *                  thrown when perm is not granted.
  * @exception   NullPointerException
  *                  if perm is null
+/*[ENDIF] JAVA_SPEC_VERSION >= 24
  */
 public void checkPermission(Permission perm) throws AccessControlException {
 /*[IF JAVA_SPEC_VERSION >= 24]*/
@@ -940,6 +948,7 @@ ProtectionDomain[] getContext() {
 	return context;
 }
 
+/*[IF JAVA_SPEC_VERSION < 24]*/
 /*
  * Added to resolve: S6907662, CVE-2010-4465: System clipboard should ensure access restrictions
  * Called internally from java.security.ProtectionDomain
@@ -953,6 +962,7 @@ ProtectionDomain[] getContext() {
 		this.domainCombiner = acc.domainCombiner;
 	}
 }
+/*[ENDIF] JAVA_SPEC_VERSION < 24 */
 
 /*
  * Added to resolve: S6907662, CVE-2010-4465: System clipboard should ensure access restrictions
diff --git a/jcl/src/java.base/share/classes/java/security/AccessController.java b/jcl/src/java.base/share/classes/java/security/AccessController.java
index cf3c744ab95..5585a40d8e6 100644
--- a/jcl/src/java.base/share/classes/java/security/AccessController.java
+++ b/jcl/src/java.base/share/classes/java/security/AccessController.java
@@ -23,7 +23,9 @@
 package java.security;
 
 import com.ibm.oti.util.Msg;
+/*[IF JAVA_SPEC_VERSION < 24]*/
 import sun.security.util.SecurityConstants;
+/*[ENDIF] JAVA_SPEC_VERSION < 24 */
 
 /*[IF JAVA_SPEC_VERSION >= 9]
 import jdk.internal.reflect.CallerSensitive;
@@ -44,30 +46,30 @@
 @SuppressWarnings("removal")
 /*[ENDIF] JAVA_SPEC_VERSION >= 17 */
 public final class AccessController {
+/*[IF JAVA_SPEC_VERSION >= 24]*/
+	private static AccessControlContext ACC_NO_PERM = new AccessControlContext(
+			new ProtectionDomain[] { new ProtectionDomain(null, null) });
+/*[ELSE] JAVA_SPEC_VERSION >= 24 */
 	static {
 		// Initialize vm-internal caches
 		initializeInternal();
 	}
 
-/*[IF JAVA_SPEC_VERSION >= 24]*/
-	private static AccessControlContext ACC_NO_PERM = new AccessControlContext(
-			new ProtectionDomain[] { new ProtectionDomain(null, null) });
-/*[ENDIF] JAVA_SPEC_VERSION >= 24 */
-
 	static final int OBJS_INDEX_ACC = 0;
 	static final int OBJS_INDEX_PDS = 1;
 	static final int OBJS_ARRAY_SIZE = 3;
 	static final int OBJS_INDEX_PERMS_OR_CACHECHECKED = 2;
 
-private static native void initializeInternal();
+	private static native void initializeInternal();
 
-/* [PR CMVC 188787] Enabling -Djava.security.debug option within WAS keeps JVM busy */
-static final class DebugRecursionDetection {
-	private static ThreadLocal<String> tlDebug = new ThreadLocal<>();
-	static ThreadLocal<String> getTlDebug() {
-		return tlDebug;
+	/* [PR CMVC 188787] Enabling -Djava.security.debug option within WAS keeps JVM busy */
+	static final class DebugRecursionDetection {
+		private static ThreadLocal<String> tlDebug = new ThreadLocal<>();
+		static ThreadLocal<String> getTlDebug() {
+			return tlDebug;
+		}
 	}
-}
+/*[ENDIF] JAVA_SPEC_VERSION >= 24 */
 
 /*[PR 1FDIC6B] J9JCL:WIN95 - AccessController missing private no-arg constructor */
 /**
@@ -77,6 +79,7 @@ private AccessController() {
 	super();
 }
 
+/*[IF JAVA_SPEC_VERSION < 24]*/
 /**
  * The object array returned has following format:
  *
@@ -192,7 +195,6 @@ private static void throwACE(boolean debug, Permission perm, ProtectionDomain pD
 	}
 }
 
-/*[IF JAVA_SPEC_VERSION < 24]*/
 /**
  * Helper method to check whether the running program is allowed to access the resource
  * being guarded by the given Permission argument
@@ -275,7 +277,6 @@ private static boolean checkPermissionHelper(Permission perm, AccessControlConte
 	}
 	return limitedPermImplied;
 }
-/*[ENDIF] JAVA_SPEC_VERSION < 24 */
 
 /**
  * Helper to print debug stack information for checkPermission().
@@ -365,8 +366,15 @@ private static boolean debugHelperJEP140(Object[] objects, Permission perm) {
 	debugPrintStack(debug, perm);
 	return debug;
 }
+/*[ENDIF] JAVA_SPEC_VERSION < 24 */
 
 /**
+/*[IF JAVA_SPEC_VERSION >= 24]
+ * Throws AccessControlException
+ *
+ * @param       perm                    is ignored
+ * @exception   AccessControlException  is always thrown
+/*[ELSE] JAVA_SPEC_VERSION >= 24
  * Checks whether the running program is allowed to
  * access the resource being guarded by the given
  * Permission argument.
@@ -374,6 +382,7 @@ private static boolean debugHelperJEP140(Object[] objects, Permission perm) {
  * @param       perm                    the permission to check
  * @exception   AccessControlException  if access is not allowed.
  *              NullPointerException if perm is null
+/*[ENDIF] JAVA_SPEC_VERSION >= 24
  */
 public static void checkPermission(Permission perm) throws AccessControlException {
 /*[IF JAVA_SPEC_VERSION >= 24]*/
@@ -437,24 +446,9 @@ public static void checkPermission(Permission perm) throws AccessControlExceptio
 }
 
 /**
- * Used to keep the context live during doPrivileged().
- *
- * @param context  the context to retain
- *
- * @see         #doPrivileged(PrivilegedAction, AccessControlContext)
- */
-private static void keepalive(AccessControlContext context) {
-	return;
-}
-
-/**
- * @param perms  the permissions to retain
- */
-private static void keepalive(Permission... perms) {
-	return;
-}
-
-/**
+/*[IF JAVA_SPEC_VERSION >= 24]
+ * @return an AccessControlContext with no permissions
+/*[ELSE] JAVA_SPEC_VERSION >= 24
  * Answers the access controller context of the current thread,
  * including the inherited ones. It basically retrieves all the
  * protection domains from the calling stack and creates an
@@ -463,6 +457,7 @@ private static void keepalive(Permission... perms) {
  * @return an AccessControlContext which captures the current state
  *
  * @see         AccessControlContext
+/*[ENDIF] JAVA_SPEC_VERSION >= 24
  */
 public static AccessControlContext getContext() {
 /*[IF JAVA_SPEC_VERSION >= 24]*/
@@ -472,6 +467,25 @@ public static AccessControlContext getContext() {
 /*[ENDIF] JAVA_SPEC_VERSION >= 24 */
 }
 
+/*[IF JAVA_SPEC_VERSION < 24]*/
+/**
+ * Used to keep the context live during doPrivileged().
+ *
+ * @param context  the context to retain
+ *
+ * @see         #doPrivileged(PrivilegedAction, AccessControlContext)
+ */
+private static void keepalive(AccessControlContext context) {
+	return;
+}
+
+/**
+ * @param perms  the permissions to retain
+ */
+private static void keepalive(Permission... perms) {
+	return;
+}
+
 /**
  * This is a helper method for getContext() and doPrivilegedWithCombiner methods.
  * Answers the access controller context of the current thread including the inherited ones.
@@ -637,6 +651,7 @@ private static int getNewAuthorizedState(AccessControlContext acc, ProtectionDom
 	}
 	return newAuthorizedState;
  }
+/*[ENDIF] JAVA_SPEC_VERSION < 24 */
 
 /**
  * Helper method to combine the ProtectionDomain objects
@@ -753,8 +768,10 @@ public static <T> T doPrivileged(PrivilegedAction<T> action) {
 @CallerSensitive
 public static <T> T doPrivileged(PrivilegedAction<T> action, AccessControlContext context) {
 	T result = action.run();
+	/*[IF JAVA_SPEC_VERSION < 24]*/
 	/*[PR 108112] context is not kept alive*/
 	keepalive(context);
+	/*[ENDIF] JAVA_SPEC_VERSION < 24 */
 	return result;
 }
 
@@ -820,8 +837,10 @@ public static <T> T doPrivileged (PrivilegedExceptionAction<T> action, AccessCon
 {
 	try {
 		T result = action.run();
+		/*[IF JAVA_SPEC_VERSION < 24]*/
 		/*[PR 108112] context is not kept alive*/
 		keepalive(context);
+		/*[ENDIF] JAVA_SPEC_VERSION < 24 */
 		return result;
 	} catch (RuntimeException ex) {
 		throw ex;
@@ -849,7 +868,11 @@ public static <T> T doPrivileged (PrivilegedExceptionAction<T> action, AccessCon
  */
 @CallerSensitive
 public static <T> T doPrivilegedWithCombiner(PrivilegedAction<T> action) {
+/*[IF JAVA_SPEC_VERSION >= 24]*/
+	return doPrivileged(action, null);
+/*[ELSE] JAVA_SPEC_VERSION >= 24*/
 	return doPrivileged(action, doPrivilegedWithCombinerHelper(null));
+/*[ENDIF] JAVA_SPEC_VERSION >= 24*/
 }
 
 /**
@@ -876,9 +899,14 @@ public static <T> T doPrivilegedWithCombiner(PrivilegedAction<T> action) {
 public static <T> T doPrivilegedWithCombiner(PrivilegedExceptionAction<T> action)
 	throws PrivilegedActionException
 {
+/*[IF JAVA_SPEC_VERSION >= 24]*/
+	return doPrivileged(action, null);
+/*[ELSE] JAVA_SPEC_VERSION >= 24*/
 	return doPrivileged(action, doPrivilegedWithCombinerHelper(null));
+/*[ENDIF] JAVA_SPEC_VERSION >= 24*/
 }
 
+/*[IF JAVA_SPEC_VERSION < 24]*/
 /**
  * Helper method to check if any permission is null
  *
@@ -894,6 +922,7 @@ private static void checkPermsNPE(Permission... perms) {
 		}
 	}
 }
+/*[ENDIF] JAVA_SPEC_VERSION < 24 */
 
 /**
  * Performs the privileged action specified by <code>action</code>.
@@ -922,10 +951,14 @@ private static void checkPermsNPE(Permission... perms) {
 public static <T> T doPrivileged(PrivilegedAction<T> action,
 		AccessControlContext context, Permission... perms)
 {
+/*[IF JAVA_SPEC_VERSION < 24]*/
 	checkPermsNPE(perms);
+/*[ENDIF] JAVA_SPEC_VERSION < 24 */
 	T result = action.run();
+/*[IF JAVA_SPEC_VERSION < 24]*/
 	keepalive(context);
 	keepalive(perms);
+/*[ENDIF] JAVA_SPEC_VERSION < 24 */
 	return result;
 }
 
@@ -954,8 +987,13 @@ public static <T> T doPrivileged(PrivilegedAction<T> action,
 public static <T> T doPrivilegedWithCombiner(PrivilegedAction<T> action,
 		AccessControlContext context, Permission... perms)
 {
+/*[IF JAVA_SPEC_VERSION >= 24]*/
+	return doPrivileged(action, context, perms); // 24 - perms?
+/*[ELSE] JAVA_SPEC_VERSION >= 24*/
 	checkPermsNPE(perms);
 	return doPrivileged(action, doPrivilegedWithCombinerHelper(context), perms);
+/*[ENDIF] JAVA_SPEC_VERSION >= 24*/
+
 }
 
 /**
@@ -989,10 +1027,14 @@ public static <T> T doPrivileged(PrivilegedExceptionAction<T> action,
 	throws PrivilegedActionException
 {
 	try {
+/*[IF JAVA_SPEC_VERSION < 24]*/
 		checkPermsNPE(perms);
+/*[ENDIF] JAVA_SPEC_VERSION < 24 */
 		T result = action.run();
+/*[IF JAVA_SPEC_VERSION < 24]*/
 		keepalive(context);
 		keepalive(perms);
+/*[ENDIF] JAVA_SPEC_VERSION < 24 */
 		return result;
 	} catch (RuntimeException ex) {
 		throw ex;
@@ -1029,10 +1071,15 @@ public static <T> T doPrivilegedWithCombiner(PrivilegedExceptionAction<T> action
 		AccessControlContext context, Permission... perms)
 	throws PrivilegedActionException
 {
+/*[IF JAVA_SPEC_VERSION >= 24]*/
+	return doPrivileged(action, context, perms);
+/*[ELSE] JAVA_SPEC_VERSION >= 24 */
 	checkPermsNPE(perms);
 	return doPrivileged(action, doPrivilegedWithCombinerHelper(context), perms);
+/*[ENDIF] JAVA_SPEC_VERSION >= 24 */
 }
 
+/*[IF JAVA_SPEC_VERSION < 24]*/
 /**
  * Helper method to construct an AccessControlContext for doPrivilegedWithCombiner methods.
  *
@@ -1052,5 +1099,6 @@ private static AccessControlContext doPrivilegedWithCombinerHelper(AccessControl
 	}
 	return fixedContext;
 }
+/*[ENDIF] JAVA_SPEC_VERSION < 24*/
 
 }
diff --git a/runtime/jcl/common/acccont.c b/runtime/jcl/common/acccont.c
index a74735cedf4..53d5ef486b3 100644
--- a/runtime/jcl/common/acccont.c
+++ b/runtime/jcl/common/acccont.c
@@ -25,6 +25,7 @@
 #include "j9.h"
 #include "j9port.h"
 
+#if JAVA_SPEC_VERSION < 24
 jboolean JNICALL Java_java_security_AccessController_initializeInternal(JNIEnv *env, jclass thisClz)
 {
 	J9JavaVM *javaVM = ((J9VMThread *) env)->javaVM;
@@ -63,3 +64,4 @@ jboolean JNICALL Java_java_security_AccessController_initializeInternal(JNIEnv *
 fail:
 	return JNI_FALSE;
 }
+#endif /* JAVA_SPEC_VERSION < 24 */
diff --git a/runtime/jcl/common/java_lang_Class.cpp b/runtime/jcl/common/java_lang_Class.cpp
index fb26b2f1232..440f0dde3af 100644
--- a/runtime/jcl/common/java_lang_Class.cpp
+++ b/runtime/jcl/common/java_lang_Class.cpp
@@ -44,6 +44,9 @@ typedef enum {
 	STATE_IMPLIED = 1
 } StackWalkingStates;
 
+#define 	STACK_WALK_STATE_MAGIC 		(void *)1
+
+#if JAVA_SPEC_VERSION < 24
 typedef enum {
 	OBJS_ARRAY_IDX_ACC = 0,
 	OBJS_ARRAY_IDX_PDS = 1,
@@ -51,7 +54,6 @@ typedef enum {
 	OBJS_ARRAY_SIZE = 3
 } ObjsArraySizeNindex;
 
-#define 	STACK_WALK_STATE_MAGIC 		(void *)1
 #define 	STACK_WALK_STATE_LIMITED_DOPRIVILEGED		(void *)2
 #define 	STACK_WALK_STATE_FULL_DOPRIVILEGED		(void *)3
 
@@ -59,6 +61,7 @@ static UDATA isPrivilegedFrameIterator(J9VMThread * currentThread, J9StackWalkSt
 static UDATA isPrivilegedFrameIteratorGetAccSnapshot(J9VMThread * currentThread, J9StackWalkState * walkState);
 static UDATA frameIteratorGetAccSnapshotHelper(J9VMThread * currentThread, J9StackWalkState * walkState, j9object_t acc, j9object_t perm);
 static j9object_t storePDobjectsHelper(J9VMThread* vmThread, J9Class* arrayClass, J9StackWalkState* walkState, j9object_t contextObject, U_32 arraySize, UDATA framesWalked, I_32 startPos, BOOLEAN dupCallerPD);
+#endif /* JAVA_SPEC_VERSION < 24 */
 static BOOLEAN checkInnerClassHelper(J9Class* declaringClass, J9Class* declaredClass);
 
 jobject JNICALL
@@ -80,6 +83,7 @@ Java_java_lang_Class_getDeclaredAnnotationsData(JNIEnv *env, jobject jlClass)
 	return result;
 }
 
+#if JAVA_SPEC_VERSION < 24
 static UDATA
 isPrivilegedFrameIterator(J9VMThread * currentThread, J9StackWalkState * walkState)
 {
@@ -129,6 +133,7 @@ isPrivilegedFrameIterator(J9VMThread * currentThread, J9StackWalkState * walkSta
 
 	return J9_STACKWALK_KEEP_ITERATING;
 }
+#endif /* JAVA_SPEC_VERSION < 24 */
 
 jobject JNICALL
 Java_java_lang_Class_getStackClasses(JNIEnv *env, jclass jlHeapClass, jint maxDepth, jboolean stopAtPrivileged)
@@ -165,10 +170,12 @@ Java_java_lang_Class_getStackClasses(JNIEnv *env, jclass jlHeapClass, jint maxDe
 	walkState.maxFrames = maxDepth;
 	walkState.walkThread = vmThread;
 
+#if JAVA_SPEC_VERSION < 24
 	if (stopAtPrivileged) {
 		walkFlags |= J9_STACKWALK_ITERATE_FRAMES;
 		walkState.frameWalkFunction = isPrivilegedFrameIterator;
 	}
+#endif /* JAVA_SPEC_VERSION < 24 */
 	walkState.flags = walkFlags;
 
 	if (vm->walkStackFrames(vmThread, &walkState) != J9_STACKWALK_RC_NONE) {
@@ -1201,6 +1208,7 @@ Java_java_lang_Class_permittedSubclassesImpl(JNIEnv *env, jobject cls)
 	return permittedSubclassesHelper(env, cls);
 }
 
+#if JAVA_SPEC_VERSION < 24
 static UDATA
 frameIteratorGetAccSnapshotHelper(J9VMThread * currentThread, J9StackWalkState * walkState, j9object_t acc, j9object_t perm)
 {
@@ -1423,13 +1431,11 @@ Java_java_security_AccessController_getAccSnapshot(JNIEnv* env, jclass jsAccessC
 	if (NULL != vmThread->currentException) {
 		goto _walkStateUninitialized;
 	}
-#if JAVA_SPEC_VERSION < 24
 	/* AccessControlContext is allocated in the same space as the thread, so no exception can occur */
 	contextObject = vmThread->threadObject;
 	if (NULL != contextObject) {
 		contextObject = J9VMJAVALANGTHREAD_INHERITEDACCESSCONTROLCONTEXT(vmThread, contextObject);
 	}
-#endif /* JAVA_SPEC_VERSION < 24 */
 	/* Walk the stack, caching the constant pools of the frames. */
 	walkState.skipCount = startingFrame + 1; /* skip this JNI frame as well */
 	walkState.userData1 = STACK_WALK_STATE_MAGIC;	/* set to NULL when a limited doPrivileged frame is discovered */
@@ -1821,7 +1827,7 @@ storePDobjectsHelper(J9VMThread* vmThread, J9Class* arrayClass, J9StackWalkState
 	}
 	return arrayObject;
 }
-
+#endif /* JAVA_SPEC_VERSION < 24 */
 
 jobject JNICALL
 Java_java_lang_Class_getNestHostImpl(JNIEnv *env, jobject recv)
diff --git a/runtime/oti/j9nonbuilder.h b/runtime/oti/j9nonbuilder.h
index 5c562bbec62..dcbf4adcc88 100644
--- a/runtime/oti/j9nonbuilder.h
+++ b/runtime/oti/j9nonbuilder.h
@@ -5852,10 +5852,12 @@ typedef struct J9JavaVM {
 	/* extensionClassLoader holds the platform class loader in Java 11+ */
 	struct J9ClassLoader* extensionClassLoader;
 	struct J9ClassLoader* applicationClassLoader;
+#if JAVA_SPEC_VERSION < 24
 	UDATA doPrivilegedMethodID1;
 	UDATA doPrivilegedMethodID2;
 	UDATA doPrivilegedWithContextMethodID1;
 	UDATA doPrivilegedWithContextMethodID2;
+#endif /* JAVA_SPEC_VERSION < 24 */
 	void* defaultMemorySpace;
 	j9object_t* systemThreadGroupRef;
 	omrthread_monitor_t classLoaderBlocksMutex;
@@ -6116,8 +6118,10 @@ typedef struct J9JavaVM {
 	omrthread_monitor_t nativeLibraryMonitor;
 	UDATA freePreviousClassLoaders;
 	struct J9ClassLoader* anonClassLoader;
+#if JAVA_SPEC_VERSION < 24
 	UDATA doPrivilegedWithContextPermissionMethodID1;
 	UDATA doPrivilegedWithContextPermissionMethodID2;
+#endif /* JAVA_SPEC_VERSION < 24 */
 	UDATA nativeLibrariesLoadMethodID;
 #if defined(J9VM_INTERP_CUSTOM_SPIN_OPTIONS)
 	struct J9Pool *customSpinOptions;

From aebcf828af98ce4dfc02d486932f7fabb21869d3 Mon Sep 17 00:00:00 2001
From: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
Date: Fri, 22 Nov 2024 16:17:47 -0500
Subject: [PATCH 8/9] Disable security manager in java.lang.System

- Throw an error on initialization if java.security.manager attempts to add a security manager
- configure setSecurityManager to always throw an UnsupportedOperationException
- getSecurityManager will always return null since a security manager can't be set

Signed-off-by: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
---
 .../ExternalMessages-MasterIndex.properties   |  2 ++
 .../share/classes/java/lang/System.java       | 26 +++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/jcl/src/java.base/share/classes/com/ibm/oti/util/ExternalMessages-MasterIndex.properties b/jcl/src/java.base/share/classes/com/ibm/oti/util/ExternalMessages-MasterIndex.properties
index 06ecbedde75..9c232e5ac0c 100644
--- a/jcl/src/java.base/share/classes/com/ibm/oti/util/ExternalMessages-MasterIndex.properties
+++ b/jcl/src/java.base/share/classes/com/ibm/oti/util/ExternalMessages-MasterIndex.properties
@@ -482,6 +482,8 @@ K0A02="Bootstrap method returned null."
 K0B00="The Security Manager is deprecated and will be removed in a future release"
 K0B01="Library name must not contain a file path: {0}"
 K0B02="Enabling a SecurityManager currently unsupported when -XX:+EnableCRIUSupport is specified"
+K0B03="Setting a Security Manager is not supported"
+K0B04="A command line option has attempted to allow or enable the Security Manager. Enabling a Security Manager is not supported."
 
 #java.lang.Throwable
 K0C00="Non-standard List class not permitted in suppressedExceptions serial stream"
diff --git a/jcl/src/java.base/share/classes/java/lang/System.java b/jcl/src/java.base/share/classes/java/lang/System.java
index 411b7efa2f8..cd3139854f6 100644
--- a/jcl/src/java.base/share/classes/java/lang/System.java
+++ b/jcl/src/java.base/share/classes/java/lang/System.java
@@ -1265,6 +1265,9 @@ static void checkTmpDir() {
 
 /*[IF JAVA_SPEC_VERSION >= 9]*/
 static void initSecurityManager(ClassLoader applicationClassLoader) {
+	/*[IF JAVA_SPEC_VERSION >= 24]*/
+	boolean throwErrorOnInit = false;
+	/*[ENDIF] JAVA_SPEC_VERSION >= 24 */
 	String javaSecurityManager = internalGetProperties().getProperty("java.security.manager"); //$NON-NLS-1$
 	if (null == javaSecurityManager) {
 		/*[IF JAVA_SPEC_VERSION >= 18]*/
@@ -1273,7 +1276,11 @@ static void initSecurityManager(ClassLoader applicationClassLoader) {
 		/* Do nothing. */
 		/*[ENDIF] JAVA_SPEC_VERSION >= 18 */
 	} else if ("allow".equals(javaSecurityManager)) { //$NON-NLS-1$
+		/*[IF JAVA_SPEC_VERSION >= 24]*/
+		throwErrorOnInit = true;
+		/*[ELSE] JAVA_SPEC_VERSION >= 24 */
 		/* Do nothing. */
+		/*[ENDIF] JAVA_SPEC_VERSION >= 24 */
 	} else if ("disallow".equals(javaSecurityManager)) { //$NON-NLS-1$
 		/*[IF JAVA_SPEC_VERSION > 11]*/
 		throwUOEFromSetSM = true;
@@ -1281,6 +1288,9 @@ static void initSecurityManager(ClassLoader applicationClassLoader) {
 		/* Do nothing. */
 		/*[ENDIF] JAVA_SPEC_VERSION > 11 */
 	} else {
+		/*[IF JAVA_SPEC_VERSION >= 24]*/
+		throwErrorOnInit = true;
+		/*[ELSE] JAVA_SPEC_VERSION >= 24 */
 		/*[IF JAVA_SPEC_VERSION >= 17]*/
 		initialErr.println("WARNING: A command line option has enabled the Security Manager"); //$NON-NLS-1$
 		initialErr.println("WARNING: The Security Manager is deprecated and will be removed in a future release"); //$NON-NLS-1$
@@ -1297,7 +1307,14 @@ static void initSecurityManager(ClassLoader applicationClassLoader) {
 				throw new Error(Msg.getString("K0631", e.toString()), e); //$NON-NLS-1$
 			}
 		}
+		/*[ENDIF] JAVA_SPEC_VERSION >= 24 */
 	}
+	/*[IF JAVA_SPEC_VERSION >= 24]*/
+	if (throwErrorOnInit) {
+		/*[MSG "K0B04", "A command line option has attempted to allow or enable the Security Manager. Enabling a Security Manager is not supported."]*/
+		throw new Error(Msg.getString("K0B04")); //$NON-NLS-1$
+	}
+	/*[ENDIF] JAVA_SPEC_VERSION >= 24 */
 }
 /*[ENDIF] JAVA_SPEC_VERSION >= 9 */
 
@@ -1315,17 +1332,25 @@ static boolean allowSecurityManager() {
  *
  * @param		s			the new security manager
  *
+/*[IF JAVA_SPEC_VERSION >= 24]
+ * @throws		UnsupportedOperationException	always
+/*[ELSE] JAVA_SPEC_VERSION >= 24
  * @throws		SecurityException 	if the security manager has already been set and its checkPermission method doesn't allow it to be replaced.
 /*[IF JAVA_SPEC_VERSION > 11]
  * @throws		UnsupportedOperationException 	if s is non-null and a special token "disallow" has been set for system property "java.security.manager"
  * 												which indicates that a security manager is not allowed to be set dynamically.
 /*[ENDIF] JAVA_SPEC_VERSION > 11
+/*[ENDIF] JAVA_SPEC_VERSION >= 24
  */
 /*[IF JAVA_SPEC_VERSION >= 17]*/
 @Deprecated(since="17", forRemoval=true)
 @CallerSensitive
 /*[ENDIF] JAVA_SPEC_VERSION >= 17 */
 public static void setSecurityManager(final SecurityManager s) {
+/*[IF JAVA_SPEC_VERSION >= 24]*/
+	/*[MSG "K0B03", "Setting a Security Manager is not supported"]*/
+	throw new UnsupportedOperationException(Msg.getString("K0B03")); //$NON-NLS-1$
+/*[ELSE] JAVA_SPEC_VERSION >= 24*/
 /*[IF CRIU_SUPPORT]*/
 	if (openj9.internal.criu.InternalCRIUSupport.isCRIUSupportEnabled()) {
 		/*[MSG "K0B02", "Enabling a SecurityManager currently unsupported when -XX:+EnableCRIUSupport is specified"]*/
@@ -1403,6 +1428,7 @@ public Void run() {
 		currentSecurity.checkPermission(com.ibm.oti.util.RuntimePermissions.permissionSetSecurityManager);
 	}
 	security = s;
+/*[ENDIF] JAVA_SPEC_VERSION >= 24*/
 }
 
 /**

From ac1f2157b49d503123fe872a8044a7a777618c36 Mon Sep 17 00:00:00 2001
From: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
Date: Thu, 28 Nov 2024 14:46:12 -0500
Subject: [PATCH 9/9] Exclude URLClassLoaderTests
 NonExistJarTests.CheckForError1

... for further investigation.

Signed-off-by: Theresa Mammarella <Theresa.T.Mammarella@ibm.com>
---
 test/functional/cmdLineTests/URLClassLoaderTests/exclude.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/functional/cmdLineTests/URLClassLoaderTests/exclude.xml b/test/functional/cmdLineTests/URLClassLoaderTests/exclude.xml
index 3eb80660f3d..860e8ad4072 100644
--- a/test/functional/cmdLineTests/URLClassLoaderTests/exclude.xml
+++ b/test/functional/cmdLineTests/URLClassLoaderTests/exclude.xml
@@ -44,4 +44,5 @@
 	<!-- PR 133321 -->
 	<exclude id="JarExtensionsTests.SingleJarInManifest.Verify1" platform="current"><reason>Failure condition was found: [Output match: LOCAL]</reason></exclude>
 	<exclude id="JarExtensionsTests.MultipleJarsInManifests.Verify1" platform="current"><reason>Failure condition was found: [Output match: LOCAL]</reason></exclude>
+	<exclude id="NonExistJarTests.CheckForError1" platform="all"><reason>https://github.com/eclipse-openj9/openj9/issues/20702</reason></exclude>
 </suite>