configuration files in ${java.home}/lib/security
Sean Mullan
sean.mullan at oracle.com
Tue Oct 16 17:45:22 UTC 2012
On 10/16/2012 09:55 AM, Alan Bateman wrote:
> As part of preparing for modules in the future [1], we need to look at
> configuration (and other) files in the JDK and see whether such files
> could eventually move to module-private locations.
>
> There are several files in ${java.home}/lib/security and I'm trying to
> get a feel for how common it is for developers or customers to edit
> them. The specification for java.security.Policy and
> java.security.KeyStore define the name/location of java.security and we
> need to decide whether these can be changed to non-normative references.
> I know from discussion with Sean on jigsaw-dev and elsewhere that some
> customers may change the preference order of providers but this is
> something that needs to be re-examined anyway as part of deploying
> security providers as service providers. I'm mostly interested in the
> other settings at this time and whether it is common or not to change
> them. Also the other files, including java.policy. I realize we might
> not have actual data but as such files are in the JDK image then I could
> imagine it being problematic when upgrading the JDK.
Right, any modifications that are made to these files will be
overwritten when you upgrade. There is a way to avoid doing that by
specifying an alternate java.security file using the
java.security.properties system property, or alternatively you can use
the java.security.Security API to override the values of these
properties, but unlike system properties I don't think you can set them
via the java command line.
I have no real data, but I suspect the re-adjusting or adding new
providers is probably the most common use case. The other properties are
more obscure and use reasonable default values. For cacerts and
java.policy, the same JDK upgrade issue applies and will clobber any
changes you make, but if you are using Oracle's deployment tools, you
can add new root certs and make system policy changes using
deployment-specific files, so this is less of an issue.
It might be worth asking the EE folks whether they change any of these
properties.
--Sean
>
> Thanks,
>
> -Alan.
>
> [1] http://openjdk.java.net/jeps/162
More information about the security-dev
mailing list