Summary

Throw java.lang.InternalError if the conf/security/java.security file is missing. Currently, in the event of such a file missing, the JDK falls back to using an old, unmaintained, configuration file

Problem

The conf/security/java.security configuration file ships with the JDK and contains security configuration properties to ensure the JDK runs with the latest security standards. If that file is missing, the current implementation falls back to a hardcoded set of properties which is minimal and not maintained. The fall back approach has regression since the introduction of JDK modules. See JDK-8291888.

Solution

Introduce an implementation specific change where an InternalError is thrown if the java.security file is detected to be missing when the Java security framework is initializing. Remove the fall back approach currently in place today.

Specification

The conf/security/java.security configuration file is read once on initialization of the java.security.Security class. Make a JDK implementation specific change so that if java.security is missing, an unspecified error will be thrown. The security.overridePropertiesFile=true configuration will continue to work as before.

add following @implNote to java.security.Security:

  @implNote If the properties file fails to load, the JDK implementation will
  throw an unspecified error when initializing the {@code Security} class.

add following note to the java.security conf file:

 If this properties file fails to load, the JDK implementation will throw
 an unspecified error when initializing the java.security.Security class.