-
Bug
-
Resolution: Not an Issue
-
P4
-
None
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8221308 | 13 | Raymond Gallardo | P4 | Closed | Not an Issue |
The java.security.policy system property allows the user to append (with "=") or override (with "==") a policy file. The "==" option should be used with care, as it overrides the built-in JRE policy file which grants a set of default permissions designed to provide a secure out of the box configuration for the JRE. Overriding this policy may cause strange behavior (JRE code may not be granted the right permissions) and should only be done by experienced users. Currently, there is no such warning in our guides, so we should add one to the following guides:
* Default Policy Implementation and Policy File Syntax
http://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html
(the section: "Specifying an Additional Policy File at Runtime")
* Java Security Architecture
http://docs.oracle.com/javase/8/docs/technotes/guides/security/spec/security-spec.doc3.html#a23883
* Default Policy Implementation and Policy File Syntax
http://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html
(the section: "Specifying an Additional Policy File at Runtime")
* Java Security Architecture
http://docs.oracle.com/javase/8/docs/technotes/guides/security/spec/security-spec.doc3.html#a23883
- backported by
-
JDK-8221308 Warn users about implications of using java.security.policy== option in security guides
-
- Closed
-