Appendix A: JAAS Settings in the java.security Security Properties File

A number of JAAS-related settings can be configured in the java.security security properties file, which is located in the lib/security directory of the Java™ runtime environment.

JAAS adds two new security properties to java.security:

  • login.configuration.provider
  • login.config.url.n

The following pre-existing properties are also relevant for JAAS users:

  • policy.provider
  • policy.url.n

Login Configuration Provider

The default JAAS login configuration implementation provided by IBM gets its configuration information from files and expects the information to be provided in a specific format shown in the tutorials.

The default JAAS login configuration implementation can be replaced by specifying the alternative provider class implementation in the login.configuration.provider property.

For example:

login.configuration.provider=com.foo.Config
If the Security property login.configuration.provider is not found, or is not specified, then it is set to the default value: 
login.configuration.provider=com.ibm.security.auth.login.ConfigFile
Note: There is no means to dynamically set the login configuration provider from the command line.

Login Configuration URLs

If you are using a login configuration implementation that expects the configuration information to be specified in files (as does the default implementation from IBM), the location of the login configuration files can be statically set by specifying their respective URLs in the login.config.url.n property. 'n' is a consecutively numbered integer starting with 1. If multiple configuration files are specified (if n >= 2), they will be read and unioned into one single configuration.

For example:

login.config.url.1=file:C:/config/.java.login.config
login.config.url.2=file:C:/users/foo/.foo.login.config

If the location of the configuration files is not set in the java.security properties file, and also is not specified dynamically from the command line (via the -Djava.security.auth.login.config option), JAAS attempts to load a default configuration from

file:${user.home}/.java.login.config

Policy Provider

The default policy implementation can be replaced by specifying the alternative provider class implementation in the policy.provider property.

For example:

policy.provider=com.foo.Policy
If the Security property policy.provider is not found, or is not specified, then the Policy is set to the default value: 
policy.provider=sun.security.provider.PolicyFile
Note: There is no means to dynamically set the policy provider from the command line.

Policy File URLs

The location of the access control policy files can be statically set by specifying their respective URLs in the auth.policy.url.n property. 'n' is a consecutively numbered integer starting with 1. If multiple policies are specified (if n >= 2), they will be read and unioned into one single policy.

For example:

policy.url.1=file:C:/policy/.java.policy
policy.url.2=file:C:/users/foo/.foo.policy

If the location of the policy files is not set in the java.security properties file, and is not specified dynamically from the command line (via the -Djava.security.policy option), the access control policy defaults to the same policy as that of the system policy file installed with the the J2SDK. That policy file

  • grants all permissions to standard extensions
  • allows anyone to listen on un-privileged ports
  • allows any code to read certain "standard" properties that are not security-sensitive, such as the "os.name" and "file.separator" properties.