RFR: 8061842: Package jurisdiction policy files as something other than JAR
Bradford Wetmore
bradford.wetmore at oracle.com
Thu Aug 4 19:35:21 UTC 2016
https://bugs.openjdk.java.net/browse/JDK-8061842
http://cr.openjdk.java.net/~wetmore/8061842/webrev.00/
The proposal is to move the configuration files from the jar files in
<java-home>/lib/security to a series of subdirectories under a new
"policy" subdirectory in <java-home>/conf/security. Each subdirectory
within that directory will represent a complete policy configuration.
The existing jar files will be split into flat text files such that the
current/existing policies remain.
The default set of policy files (i.e. directory) is configured using a
new java.security.Security property called "crypto.policy" which will be
added to the <java-home>/conf/security/java.security file. The default
initial options are "limited" or "unlimited", however additional
directories could potentially be created that specify other
as-yet-unknown policies.
The default value of this property will be "limited" which corresponds
to our current policy for JRE/JDK export/import around the world.
However, the build respects the following "configure" option:
--enable-unlimited-crypto
Enable unlimited crypto policy [disabled]
Within the directory, our implementation will look for files using the
standard filename prefix above ("default_" or "exempt_"), thus new
additional policy restrictions/abstractions can be added with a simple
file addition.
Brad
More information about the security-dev
mailing list