Inside Java
News and views from members of the Java team at Oracle
News and views from members of the Java team at Oracle
The OpenJDK Quality Group is promoting the testing of FOSS projects with OpenJDK builds as a way to improve the overall quality of the release. This heads-up is part of a regular communication sent to the projects involved. To learn more about the program, and how-to join, please check here.
Managing security properties across multiple Java Development Kit (JDK) releases can be a challenge, particularly in environments requiring centralized control and distinct security profiles. To address this, the Java Platform now allows the main security properties file (${java.home}/conf/security/java.security) or any file specified via the java.security.properties system property to include additional files.
# Including files inline in the main security properties file
include /path/to/legacy-config.security
include /path/to/tls-config.security
# Existing security property
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA
# TLS-specific properties in referenced file (tls-config.security)
jdk.tls.legacyAlgorithms=SHA1, DSA
include becomes a reserved word not available to define a security property. Any call to java.security.Security.getProperty("include") or java.security.Security.setProperty("include", ...) throws an unchecked IllegalArgumentException exception. This inclusion is recursive, allowing for nested configurations, provided no cycles occur. Paths to the included files may be absolute or relative. If local, the JVM resolves each relative path against the base file containing its include definition.
The inclusion mechanism ensures robust security by:
listing files explicitly in the main configuration file.
the system throwing a fatal error, if a file is missing or inaccessible, thus preventing misconfigurations.
not allowing inclusion of directories (include non-existent-conf.security) or URLs (include file:///etc/crypto-policies/backend/java.config).
expanding to the empty string a system property (${system.property}) that does not have a value.
Users must ensure included files have appropriate permissions to safeguard against tampering. For example, you should enforce secure permissions for included files : chmod 600 /path/to/tls-config.security.
Additionally, there are several benefits by including other properties files:
the order of inclusion dictates the override priority of security properties.
updates to one file automatically propagate to all dependent configurations.
profiles ensure consistent security policies across multiple JDKs.
This enhancement offers better control and adaptability over Java security properties for developers, system administrators and infrastructure engineers.
This is a summary, for more details make sure to read the JDK 24 release notes.
