How to Override Java Security Configuration per JVM Instance

>> Saturday, November 24, 2012

Introduction

Lately I encountered a configuration tweak I was not aware of, the problem: I had a single Java installation on a Linux machine from which I had to start two JVM instances - each using a different set of JCE providers. A reminder: the JVM loads its security configuration, including the JCE providers list, from a master security properties file within the JRE folder (JRE_HOME/lib/security/java.security), the location of that file is fixed in the JVM and cannot be modified. Going over the documentation (not too much helpful, I must admit) and the code (more helpful, look for Security.java, for example here) reveled the secret.

security.overridePropertiesFile

It all starts within the default java.security file provided with the JVM, looking at it we will find the following (somewhere around the middle of the file)
#
# Determines whether this properties file can be appended to
# or overridden on the command line via -Djava.security.properties
#
security.overridePropertiesFile=true

If the overridePropertiesFile doesn’t equal to true we can stop here - the rest of this article is irrelevant (unless we have the option to change it – but I didn’t have that). Lucky to me by default it does equal to true.

java.security.properties

Next step, the interesting one, is to override or append configuration to the default java.security file per JVM execution. This is done by setting the 'java.security.properties' system property to point to a properties file as part of the JVM invocation; it is important to notice that referencing to the file can be done in one of two flavors:
  1. Overriding the entire file provided by the JVM - if the first character in the java.security.properties' value is the equals sign the default configuration file will be entirely ignored, only the values in the file we are pointing to will be affective
  2. Appending and overriding values of the default file - any other first character in the property's value (that is the first character in the alternate configuration file path) means that the alternate file will be loaded and appended to the default one. If the alternate file contains properties which are already in the default configuration file the alternate file will override those properties.
Here are two examples
#
# Completely override the default java.security file content
# (notice the *two* equal signs) 
#
java -Djava.security.properties==/etc/sysconfig/jvm1.java.security

#
# Append or override parts of the default java.security file
# (notice the *single* equal sign)
#
java -Djava.security.properties=/etc/sysconfig/jvm.java.security

Be Carefull

As an important configuration option as it is we must not forget its security implications. We should always make sure that no one can tamper the value of the property and that no one can tamper the alternate file content if he shouldn't be allowed to.

16 comments:

Anonymous September 25, 2013 at 11:48 PM  

Interesting, would it work in conjunction with "-Djava.endorsed.dirs" so that I can have my bouncycastle provider jar outside of jre/lib/ext directory?

Eyal Lupu September 26, 2013 at 1:26 AM  

I cannot remember if the endorsed folder is supported for JCE providers - but if so I don't see a reason why you cannot combine the two.
The best is probably to give it a try

Anonymous September 26, 2013 at 1:41 AM  

It works with -Djava.ext.dirs:

-Djava.ext.dirs=%JAVA_HOME%/jre/lib/ext;my/custom/ext/dir

Naresh October 10, 2013 at 10:54 AM  

For some reason, I cannot get this to work. That is, override a property by specifying it in a custom properties file and providing the location via the -Djava.security.properties parameter.

Keep getting the default value specified in java.security file.

I couldn't get this to work in JDK 1.6_32, 1.7.0_25, 1.7.0_40.

Eyal Lupu October 11, 2013 at 1:04 AM  

Make sure you are setting the property (-D) before the main class name.

equestions December 11, 2014 at 6:24 PM  

Eyal, My purpose is really to eliminate overriding. So I plan to change that the default 'true' value to 'false'. For local connections that is sufficient to prevent overriding of system properties. However, that does not work for remote connections using RMI. Any advice with respect to RMI? Thanks!

Victoria John April 16, 2015 at 4:06 AM  

Your blog is really useful for me, and I gathered some information from this blog. I did SAP Training in Chennai, at FITA Academy. It's really useful for me to make a bright career in IT industry.

Revathi S September 21, 2015 at 4:21 AM  


If wants to get real time Oracle Training visit this blog They give professional and job oriented training for all students.To make it easier for you Greens Technologies trained as visualizing all the real-world Application and how to implement in Archiecture trained with expert trainners guide may you want.. Start brightening your career with us Green Technologies In Chennai

Revathi S September 21, 2015 at 4:22 AM  

Nice site....Please refer this site also nice if Our vision succes!Training are focused on perfect improvement of technical skills for Freshers and working professional. Our Training classes are sure to help the trainee with COMPLETE PRACTICAL TRAINING and Realtime methodologies Green Technologies In Chennai

Revathi S September 21, 2015 at 4:23 AM  

This site has very useful inputs related to qtp.This page lists down detailed and information about QTP for beginners as well as experienced users of QTP. If you are a beginner, it is advised that you go through the one after the other as mentioned in the list. So let’s get started… QTP Training in Chennai

Revathi S September 21, 2015 at 4:23 AM  

Hi. Nice post. I am wondering if it is possible.Actually pega software that can be used in many companies for their day to day business activities it has great scope in future.if suggest best coaching center visit Pega Training in Chennai

Revathi S September 21, 2015 at 4:24 AM  

Hey, nice site you have here!We provide world-class Oracle certification and placement training course as i wondered Keep up the excellent work experience!Please visit Greens Technologies located at Chennai Adyar Oracle Training in chennai

Revathi S September 21, 2015 at 4:24 AM  

Hey, nice site you have here!We provide world-class Oracle certification and placement training course as i wondered Keep up the excellent work experience!Please visit Greens Technologies located at Chennai Adyar Oracle Training in chennai

Revathi S September 21, 2015 at 4:25 AM  

I would recommend the Qlikview course to anyone interested in learning Business Intelligence .Absolutely professional and engaging training sessions helped me to appreciate and understand the technology better. thank you very much if our dedicated efforts and valuable insights which made it easy for me to understand the concepts taught and more ... qlikview Training in chennai

Revathi S September 21, 2015 at 4:25 AM  

Thanks for sharing this informative blog .To make it easier for you Greens Techonologies at Chennai is visualizing all the materials about (OBIEE).SO lets Start brightening your future.and using modeling tools how to prepare and build objects and metadata to be used in reports and more trained itself visit Obiee Training in chennai

Qlikview Online Training October 29, 2015 at 12:12 AM  

Qlikview Online TrainingIn Hyderabad, India, USA, UK, CANADA, Australia

  © Blogger templates Sunset by Ourblogtemplates.com 2008

Back to TOP