RFR: 8309330: Allow java.security to be extended via a properties directory [v2]
Andrew John Hughes
andrew at openjdk.org
Tue Jul 11 08:51:13 UTC 2023
On Fri, 2 Jun 2023 12:58:36 GMT, Andrew John Hughes <andrew at openjdk.org> wrote:
>> Currently, security properties are held within the `java.security` file in the JDK tree for each installed JDK. The system property `java.security.properties` can be used to point to a file containing additional properties. These can be appended to the existing set or override all existing properties.
>>
>> There is currently no way to specify additional properties permanently or to reference multiple files. Making permanent changes to the `java.security` properties requires editing the `java.security` file in each JDK where the changes are required.
>>
>> This patch allows a directory tree to be specified either permanently in the java.security file by the `security.propertiesDir` property or on the command line using `java.security.propertiesDir`. Any property files found in this directory tree can be appended to those specified in `java.security`, as with the single file used by `java.security.properties`.
>>
>> As an example, the `security.propertiesDir` in the `java.security` file of each JDK can be set to a common shared directory, allowing all JDKs to share a common set of security properties. This eases setting up properties on each new JDK installation and also allows the shared properties to be maintained under different access permissions to those of the JDK.
>>
>> The command-line variant, `java.security.propertiesDir`, is intended primarily for testing and to disable a permanent properties directory by setting the value to empty. As with `java.security.properties`, the system property will be ignored if `security.overridePropertiesFile` in the `java.security` file is not set to true.
>>
>> A less flexible version of this patch (a permanent hardcoded single file) has been [used in our JDK installations since 2016](https://bugzilla.redhat.com/show_bug.cgi?id=1249083) to provide a system-wide crypto policy. Having support for this in the upstream JDK would allow us to remove a local patch from our builds and reduce divergence from upstream.
>
> Andrew John Hughes has updated the pull request incrementally with one additional commit since the last revision:
>
> Sort the returned list of property files and exclude hidden files.
Still waiting on CSR resolution.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/14277#issuecomment-1630411780
More information about the security-dev
mailing list