15

I'm looking for a java argument (or perhaps some different method) to allow me to specify a file to be used by the JVM as the java.security file, rather than using the one found in the JDK (in the JRE lib).

To give you a little more context, I am working with a WebLogic server that was set up by someone else and is running two (or more) different JVMs off the same JDK. We have run into an issue now where the work I'm doing on one JVM requires a different java.security file than the one that is currently being used by the other JVM. I am hoping there will be a way for me to just point my JVM at a new java.security file without having to point it at an entirely new JDK (due to space constraints, we would like to avoid uploading a JDK specific to each JVM).

I realize that the server's set up is not ideal, but completely rearranging the existing set up is not viable and not something I am in a position to do. So, I am hoping someone might have a creative solution that would allow for multiple JVMs running off the same JDK but with different security configurations.

I have been trying to find solutions out there, but it seems my Google-Foo is not as strong as I had hoped. Here's to hoping one of you has the answer!

Many thanks.

EDIT
Sorry maybe my original post was not clear, but I am interested in specifying the java.security file, also often referred to as the Java master security properties file, not the java.policy file which is found in the same directory.

My Solution

I will post my solution here just for reference of others who might fall into a similar situation.

As I can't seem to find an argument to specify at start up, I have decided that I will have to forgo the java.security properties file. It is possible to set properties and providers (typically configured in the file) within code using the Security class (java.security.Security). So, at least in the interim, I plan to write a class that will go through setting up my JVM specific security configurations after startup (essentially overwriting the default configurations provided by the file for the other JVM). While the obvious downside of this solution is that is does not externalize security configurations of this JVM, the solution does provide me a way to set JVM specific properties and providers without affecting the configuration of other JVMs running off the same JDK.

I appreciate the time and consideration given by others. Thanks =)

Kai
  • 261
  • 1
  • 2
  • 9

3 Answers3

20

Looking at the OpenJDK source, you cannot change the loading of the java.security file. However, that file has a property called security.overridePropertiesFile which, if set to true (as it is in my current, vanilla install), allows you to load an additional security properties file specified through the system property named java.security.properties. Note also, that the command line syntax follows a similar pattern to the policy file where = specifies additional configuration and == specifies a complete replacement configuration.

Bill the Lizard
  • 398,270
  • 210
  • 566
  • 880
james
  • 1,230
  • 9
  • 4
  • way to go to the source on this one, james! I'll try this out today when I get a chance and let everyone know of results. – Kai Dec 24 '10 at 14:40
  • 1
    Trying this solution yielded no change in results. The JVM doesn't seem to be overriding or appending to the security file and simply uses the default one. – Kai Dec 30 '10 at 21:23
  • This seems to be covered in this article: https://dzone.com/articles/how-override-java-security – bwobbones Mar 23 '17 at 15:17
7

Maybe the accepted answer on this thread would help you out; basically it says that you need to specify your own policy file and the final invocation should look like:

java -Djava.security.manager -Djava.security.policy=/some/path/my.policy
Community
  • 1
  • 1
Sanjay T. Sharma
  • 22,857
  • 4
  • 59
  • 71
  • 3
    Thank you, Sanjay. This seems like a good place to start but correct me if I am wrong, is to specify a .policy file? Is there a way to apply this to a .security file (i.e. the master properties file to configure security providers etc.)? – Kai Dec 23 '10 at 17:52
  • NOT "-Djava.security.manager." NOT "-Djava.security.policy." See the answers from "james" and "mannnnerd" for the correct parameter of -Djava.security.properties. (The correct parameter for overriding the java.security file is also given, quite logically, in the large comment block at the top of java.security, as well as the clause in the file that controls whether overrides are accepted.) – hbquikcomjamesl Jan 27 '22 at 01:30
  • Specifying a java.security override file for "-Djava.security.manager" crashes the JVM (which is a very big deal on a Chromebook; I speak from experience). Specifying it for "-DJava.security.policy" simply doesn't do anything useful. – hbquikcomjamesl Jan 27 '22 at 01:35
6

You can just set the system property -Djava.security.properties=***** to specify the security property you want to load, but you must set the property security.overridePropertiesFile=true prior to use this approach.

user2427
  • 7,842
  • 19
  • 61
  • 71
mannnnerd
  • 109
  • 1
  • 4
  • 2
    Not sure about earlier versions but if you look at the comments at the top of the java.security file in Java 8, all is made clear: `-Djava.security.properties=` appends to the master security properties file. If both properties files specify values for the same key, the value from the command-line properties file is selected, as it is the last one loaded. Also, if you specify `-Djava.security.properties==` (2 equals), then that properties file completely overrides the master security properties file. – mtjhax Apr 29 '16 at 13:09
  • 4
    `-Djava.security.debug=properties` might also become handy when troubleshooting loading of override files in this manner – Janaka Bandara Jul 11 '18 at 11:49