From OpenJDK 17, the Java SecurityManager will be deprecated, with eventual removal planned over the coming releases.

When
a Java class references the following classes:

• java.lang.SecurityManager
• java.security.Policy
• java.security.PolicySpi
• java.security.Policy.Parameters
• java.security.AccessController
• java.security.AccessControlContext
• java.security.AccessControlException
• java.security.DomainCombiner
• java.rmi.RMISecurityManager
• javax.security.auth.SubjectDomainCombiner

or methods:

• java.lang.System::setSecurityManager
• java.lang.System::getSecurityManager
• java.lang.Thread::checkAccess
• java.lang.ThreadGroup::checkAccess
• java.util.logging.LogManager::checkAccess
• java.util.concurrent.Executors::privilegedCallable
• java.util.concurrent.Executors::privilegedCallableUsingCurrentClassLoader
• java.util.concurrent.Executors::privilegedThreadFactory
• javax.security.auth.Subject::doAsPrivileged
• javax.security.auth.Subject:: getSubject

Perform
Add a hint to remove these references as they will become no-ops in later releases and eventually be removed. Long term, they should look at alternatives to secure their application as this form of code access security has proved unworkable and the industry in general is moving away from it.

References
https://openjdk.org/jeps/411