RFR: 8309330: Allow java.security to be extended via a properties directory

Alexey Bakhtin abakhtin at openjdk.org
Fri Jun 2 02:04:11 UTC 2023 

On Fri, 2 Jun 2023 00:57:49 GMT, Andrew John Hughes <andrew at openjdk.org> wrote:

> Currently, security properties are held within the `java.security` file in the JDK tree for each installed JDK. The system property `java.security.properties` can be used to point to a file containing additional properties. These can be appended to the existing set or override all existing properties.
> 
> There is currently no way to specify additional properties permanently or to reference multiple files. Making permanent changes to the `java.security` properties requires editing the `java.security` file in each JDK where the changes are required.
> 
> This patch allows a directory tree to be specified either permanently in the java.security file by the `security.propertiesDir` property or on the command line using `java.security.propertiesDir`. Any property files found in this directory tree can be appended to those specified in `java.security`, as with the single file used by `java.security.properties`.
> 
> As an example, the `security.propertiesDir` in the `java.security` file of each JDK can be set to a common shared directory, allowing all JDKs to share a common set of security properties. This eases setting up properties on each new JDK installation and also allows the shared properties to be maintained under different access permissions to those of the JDK.
> 
> The command-line variant, `java.security.propertiesDir`, is intended primarily for testing and to disable a permanent properties directory by setting the value to empty. As with `java.security.properties`, the system property will be ignored if `security.overridePropertiesFile` in the `java.security` file is not set to true.
> 
> A less flexible version of this patch (a permanent hardcoded single file) has been [used in our JDK installations since 2016](https://bugzilla.redhat.com/show_bug.cgi?id=1249083) to provide a system-wide crypto policy. Having support for this in the upstream JDK would allow us to remove a local patch from our builds and reduce divergence from upstream.

src/java.base/share/classes/java/security/Security.java line 138:

> 136:             try {
> 137:                 extraPropDir = PropertyExpander.expand(extraPropDir);
> 138:                 stream = Files.find(Path.of(extraPropDir), Integer.MAX_VALUE,

Hi @gnu-andrew ,
The order of the files, returned by File::find is not defined. Different property files can change the same security properties, and only the latest changes will be applied. So the order of the property files is important but seems not controlled by the propertiesDir option.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/14277#discussion_r1213841747

More information about the security-dev mailing list