Mercurial > hg > release > icedtea6-1.12
view patches/openjdk/8004188-rename_java.security.patch @ 3029:dfef77966f7c
Add 2013/10/15 security fixes.
2013-10-29 Andrew John Hughes <gnu.andrew@redhat.com>
* Makefile.am:
(SECURITY_PATCHES): Add security update.
* NEWS: Updated.
* patches/jtreg-LastErrorString.patch,
* patches/use-idx_t.patch,
* patches/openjdk/7162902-corba_fixes.patch,
* patches/openjdk/7196533-timezone_bottleneck.patch,
* patches/openjdk/8010727-empty_logger_name.patch,
* patches/openjdk/8010939-logmanager_deadlock.patch,
* patches/openjdk/8012617-arrayindexoutofbounds_linebreakmeasurer.patch,
* patches/openjdk/8014718-remove_logging_suntoolkit.patch:
Regenerated.
* patches/nss-config.patch: Fix path to java.security.
* patches/openjdk/4075303-javap_update.patch,
* patches/openjdk/4111861-static_fields.patch,
* patches/openjdk/4501661-disallow_mixing.patch,
* patches/openjdk/4884240-javap_additional_option.patch,
* patches/openjdk/6708729-javap_makefile_update.patch,
* patches/openjdk/6715767-javap_crash.patch,
* patches/openjdk/6819246-javap_instruction_decoding.patch,
* patches/openjdk/6824493-experimental.patch,
* patches/openjdk/6841419-classfile_iterator.patch,
* patches/openjdk/6841420-classfile_methods.patch,
* patches/openjdk/6843013-missing_experimental.patch,
* patches/openjdk/6852856-javap_subclasses.patch,
* patches/openjdk/6867671-javap_whitespace.patch,
* patches/openjdk/6868539-constant_pool_tags.patch,
* patches/openjdk/6902264-fix_indentation.patch,
* patches/openjdk/6954275-big_xml_signatures.patch,
* patches/openjdk/7146431-java.security_files.patch,
* patches/openjdk/8000450-restrict_access.patch,
* patches/openjdk/8002070-remove_logger_stack_search.patch,
* patches/openjdk/8003992-embedded_nulls.patch,
* patches/openjdk/8004188-rename_java.security.patch,
* patches/openjdk/8006882-jmockit.patch,
* patches/openjdk/8006900-new_date_time.patch,
* patches/openjdk/8008589-better_mbean_permission_validation.patch,
* patches/openjdk/8010118-caller_sensitive.patch,
* patches/openjdk/8011071-better_crypto_provider_handling.patch,
* patches/openjdk/8011081-improve_jhat.patch,
* patches/openjdk/8011139-revise_checking_getenclosingclass.patch,
* patches/openjdk/8011157-improve_corba_portability-jdk.patch,
* patches/openjdk/8011157-improve_corba_portability.patch,
* patches/openjdk/8011990-logger_test_urls.patch,
* patches/openjdk/8012071-better_bean_building.patch,
* patches/openjdk/8012147-improve_tool.patch,
* patches/openjdk/8012243-serial_regression.patch,
* patches/openjdk/8012277-improve_dataflavour.patch,
* patches/openjdk/8012425-transform_transformfactory.patch,
* patches/openjdk/8012453-runtime.exec.patch,
* patches/openjdk/8013380-logger_stack_walk_glassfish.patch,
* patches/openjdk/8013503-improve_stream_factories.patch,
* patches/openjdk/8013506-better_pack200.patch,
* patches/openjdk/8013510-augment_image_writing.patch,
* patches/openjdk/8013514-improve_cmap_stability.patch,
* patches/openjdk/8013739-better_ldap_resource_management.patch,
* patches/openjdk/8013744-better_tabling.patch,
* patches/openjdk/8013827-createtempfile_hang.patch,
* patches/openjdk/8014085-better_serialization.patch,
* patches/openjdk/8014093-improve_image_parsing.patch,
* patches/openjdk/8014102-improve_image_conversion.patch,
* patches/openjdk/8014341-better_kerberos_service.patch,
* patches/openjdk/8014349-getdeclaredclass_fix.patch,
* patches/openjdk/8014530-better_dsp.patch,
* patches/openjdk/8014534-better_profiling.patch,
* patches/openjdk/8014745-logger_stack_walk_switch.patch,
* patches/openjdk/8014987-augment_serialization.patch,
* patches/openjdk/8015144-performance_regression.patch,
* patches/openjdk/8015614-update_build.patch,
* patches/openjdk/8015731-auth_improvements.patch,
* patches/openjdk/8015743-address_internet_addresses.patch,
* patches/openjdk/8015965-typo_in_property_name.patch,
* patches/openjdk/8015978-incorrect_transformation.patch,
* patches/openjdk/8016256-finalization_final.patch,
* patches/openjdk/8016357-update_hs_diagnostic_class.patch,
* patches/openjdk/8016653-ignoreable_characters.patch,
* patches/openjdk/8016675-robust_javadoc.patch,
* patches/openjdk/8017196-ensure_proxies_are_handled_appropriately-jdk.patch,
* patches/openjdk/8017196-ensure_proxies_are_handled_appropriately.patch,
* patches/openjdk/8017287-better_resource_disposal.patch,
* patches/openjdk/8017291-cast_proxies_aside.patch,
* patches/openjdk/8017298-better_xml_support.patch,
* patches/openjdk/8017300-improve_interface_implementation.patch,
* patches/openjdk/8017505-better_client_service.patch,
* patches/openjdk/8017566-backout_part_of_8000450.patch,
* patches/openjdk/8019292-better_attribute_value_exceptions.patch,
* patches/openjdk/8019584-invalid_notification_fix.patch,
* patches/openjdk/8019617-better_view_of_objects.patch,
* patches/openjdk/8019969-inet6_test_case_fix.patch,
* patches/openjdk/8019979-better_access_test.patch,
* patches/openjdk/8020293-jvm_crash.patch,
* patches/openjdk/8021290-signature_validation.patch,
* patches/openjdk/8021355-splashscreen_regression.patch,
* patches/openjdk/8021366-jaxp_test_fix-01.patch,
* patches/openjdk/8021577-bean_serialization_fix.patch,
* patches/openjdk/8021933-jaxp_test_fix-02.patch,
* patches/openjdk/8021969-jnlp_load_failure.patch,
* patches/openjdk/8022661-writeobject_flush.patch,
* patches/openjdk/8022682-supporting_xom.patch,
* patches/openjdk/8022940-enhance_corba_translations.patch,
* patches/openjdk/8023683-enhance_class_file_parsing.patch,
* patches/openjdk/8023964-ignore_test.patch,
* patches/openjdk/8024914-swapped_usage.patch,
* patches/openjdk/8025128-createtempfile_absolute_prefix.patch,
* patches/openjdk/oj6-19-fix_8010118_test_cases.patch,
* patches/openjdk/oj6-20-merge.patch,
* patches/openjdk/oj6-21-overrides.patch: Added.
author | Andrew John Hughes <gnu.andrew@redhat.com> |
---|---|
date | Wed, 20 Nov 2013 22:56:43 +0000 |
parents | |
children |
line wrap: on
line source
# HG changeset patch # User juh # Date 1382736906 -3600 # Fri Oct 25 22:35:06 2013 +0100 # Node ID 2a023db33371ce5ee42134cf0d860ab9f0adff92 # Parent 3b6f55f02122398ba662fb581352c9c9b102c2e3 8004188: Rename src/share/lib/security/java.security to java.security-linux Reviewed-by: mullan, mchung diff -r 3b6f55f02122 -r 2a023db33371 make/java/security/Makefile --- openjdk/jdk/make/java/security/Makefile Fri Jul 12 11:36:15 2013 +0100 +++ openjdk/jdk/make/java/security/Makefile Fri Oct 25 22:35:06 2013 +0100 @@ -37,7 +37,8 @@ # Directories # -PROPS_SRC = $(TOPDIR)/src/share/lib/security/java.security +# The default security properties file is for linux +PROPS_SRC = $(TOPDIR)/src/share/lib/security/java.security-linux SUNPKCS11 = ifeq ($(PLATFORM), solaris) diff -r 3b6f55f02122 -r 2a023db33371 src/share/lib/security/java.security --- openjdk/jdk/src/share/lib/security/java.security Fri Jul 12 11:36:15 2013 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,311 +0,0 @@ -# -# This is the "master security properties file". -# -# In this file, various security properties are set for use by -# java.security classes. This is where users can statically register -# Cryptography Package Providers ("providers" for short). The term -# "provider" refers to a package or set of packages that supply a -# concrete implementation of a subset of the cryptography aspects of -# the Java Security API. A provider may, for example, implement one or -# more digital signature algorithms or message digest algorithms. -# -# Each provider must implement a subclass of the Provider class. -# To register a provider in this master security properties file, -# specify the Provider subclass name and priority in the format -# -# security.provider.<n>=<className> -# -# This declares a provider, and specifies its preference -# order n. The preference order is the order in which providers are -# searched for requested algorithms (when no specific provider is -# requested). The order is 1-based; 1 is the most preferred, followed -# by 2, and so on. -# -# <className> must specify the subclass of the Provider class whose -# constructor sets the values of various properties that are required -# for the Java Security API to look up the algorithms or other -# facilities implemented by the provider. -# -# There must be at least one provider specification in java.security. -# There is a default provider that comes standard with the JDK. It -# is called the "SUN" provider, and its Provider subclass -# named Sun appears in the sun.security.provider package. Thus, the -# "SUN" provider is registered via the following: -# -# security.provider.1=sun.security.provider.Sun -# -# (The number 1 is used for the default provider.) -# -# Note: Providers can be dynamically registered instead by calls to -# either the addProvider or insertProviderAt method in the Security -# class. - -# -# List of providers and their preference orders (see above): -# -security.provider.1=sun.security.provider.Sun -security.provider.2=sun.security.rsa.SunRsaSign -security.provider.3=com.sun.net.ssl.internal.ssl.Provider -security.provider.4=com.sun.crypto.provider.SunJCE -security.provider.5=sun.security.jgss.SunProvider -security.provider.6=com.sun.security.sasl.Provider -security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI -security.provider.8=sun.security.smartcardio.SunPCSC - -# -# Select the source of seed data for SecureRandom. By default an -# attempt is made to use the entropy gathering device specified by -# the securerandom.source property. If an exception occurs when -# accessing the URL then the traditional system/thread activity -# algorithm is used. -# -# On Solaris and Linux systems, if file:/dev/urandom is specified and it -# exists, a special SecureRandom implementation is activated by default. -# This "NativePRNG" reads random bytes directly from /dev/urandom. -# -# On Windows systems, the URLs file:/dev/random and file:/dev/urandom -# enables use of the Microsoft CryptoAPI seed functionality. -# -securerandom.source=file:/dev/urandom -# -# The entropy gathering device is described as a URL and can also -# be specified with the system property "java.security.egd". For example, -# -Djava.security.egd=file:/dev/urandom -# Specifying this system property will override the securerandom.source -# setting. - -# -# Class to instantiate as the javax.security.auth.login.Configuration -# provider. -# -login.configuration.provider=com.sun.security.auth.login.ConfigFile - -# -# Default login configuration file -# -#login.config.url.1=file:${user.home}/.java.login.config - -# -# Class to instantiate as the system Policy. This is the name of the class -# that will be used as the Policy object. -# -policy.provider=sun.security.provider.PolicyFile - -# The default is to have a single system-wide policy file, -# and a policy file in the user's home directory. -policy.url.1=file:${java.home}/lib/security/java.policy -policy.url.2=file:${user.home}/.java.policy - -# whether or not we expand properties in the policy file -# if this is set to false, properties (${...}) will not be expanded in policy -# files. -policy.expandProperties=true - -# whether or not we allow an extra policy to be passed on the command line -# with -Djava.security.policy=somefile. Comment out this line to disable -# this feature. -policy.allowSystemProperty=true - -# whether or not we look into the IdentityScope for trusted Identities -# when encountering a 1.1 signed JAR file. If the identity is found -# and is trusted, we grant it AllPermission. -policy.ignoreIdentityScope=false - -# -# Default keystore type. -# -keystore.type=jks - -# -# Class to instantiate as the system scope: -# -system.scope=sun.security.provider.IdentityDatabase - -# -# List of comma-separated packages that start with or equal this string -# will cause a security exception to be thrown when -# passed to checkPackageAccess unless the -# corresponding RuntimePermission ("accessClassInPackage."+package) has -# been granted. -package.access=sun.,\ - com.sun.corba.se.impl.,\ - com.sun.xml.internal.,\ - com.sun.imageio.,\ - com.sun.istack.internal.,\ - com.sun.jmx.,\ - com.sun.proxy.,\ - com.sun.org.apache.bcel.internal.,\ - com.sun.org.apache.regexp.internal.,\ - com.sun.org.apache.xerces.internal.,\ - com.sun.org.apache.xpath.internal.,\ - com.sun.org.apache.xalan.internal.extensions.,\ - com.sun.org.apache.xalan.internal.lib.,\ - com.sun.org.apache.xalan.internal.res.,\ - com.sun.org.apache.xalan.internal.templates.,\ - com.sun.org.apache.xalan.internal.xslt.,\ - com.sun.org.apache.xalan.internal.xsltc.cmdline.,\ - com.sun.org.apache.xalan.internal.xsltc.compiler.,\ - com.sun.org.apache.xalan.internal.xsltc.trax.,\ - com.sun.org.apache.xalan.internal.xsltc.util.,\ - com.sun.org.apache.xml.internal.res.,\ - com.sun.org.apache.xml.internal.serializer.utils.,\ - com.sun.org.apache.xml.internal.utils.,\ - com.sun.org.apache.xml.internal.security.,\ - com.sun.org.glassfish.,\ - org.jcp.xml.dsig.internal. - -# -# List of comma-separated packages that start with or equal this string -# will cause a security exception to be thrown when -# passed to checkPackageDefinition unless the -# corresponding RuntimePermission ("defineClassInPackage."+package) has -# been granted. -# -# by default, none of the class loaders supplied with the JDK call -# checkPackageDefinition. -# -package.definition=sun.,\ - com.sun.corba.se.impl.,\ - com.sun.xml.internal.,\ - com.sun.imageio.,\ - com.sun.istack.internal.,\ - com.sun.jmx.,\ - com.sun.proxy.,\ - com.sun.org.apache.bcel.internal.,\ - com.sun.org.apache.regexp.internal.,\ - com.sun.org.apache.xerces.internal.,\ - com.sun.org.apache.xpath.internal.,\ - com.sun.org.apache.xalan.internal.extensions.,\ - com.sun.org.apache.xalan.internal.lib.,\ - com.sun.org.apache.xalan.internal.res.,\ - com.sun.org.apache.xalan.internal.templates.,\ - com.sun.org.apache.xalan.internal.xslt.,\ - com.sun.org.apache.xalan.internal.xsltc.cmdline.,\ - com.sun.org.apache.xalan.internal.xsltc.compiler.,\ - com.sun.org.apache.xalan.internal.xsltc.trax.,\ - com.sun.org.apache.xalan.internal.xsltc.util.,\ - com.sun.org.apache.xml.internal.res.,\ - com.sun.org.apache.xml.internal.serializer.utils.,\ - com.sun.org.apache.xml.internal.utils.,\ - com.sun.org.apache.xml.internal.security.,\ - com.sun.org.glassfish.,\ - org.jcp.xml.dsig.internal. - -# -# Determines whether this properties file can be appended to -# or overridden on the command line via -Djava.security.properties -# -security.overridePropertiesFile=true - -# -# Determines the default key and trust manager factory algorithms for -# the javax.net.ssl package. -# -ssl.KeyManagerFactory.algorithm=SunX509 -ssl.TrustManagerFactory.algorithm=PKIX - -# -# The Java-level namelookup cache policy for successful lookups: -# -# any negative value: caching forever -# any positive value: the number of seconds to cache an address for -# zero: do not cache -# -# default value is forever (FOREVER). For security reasons, this -# caching is made forever when a security manager is set. When a security -# manager is not set, the default behavior in this implementation -# is to cache for 30 seconds. -# -# NOTE: setting this to anything other than the default value can have -# serious security implications. Do not set it unless -# you are sure you are not exposed to DNS spoofing attack. -# -#networkaddress.cache.ttl=-1 - -# The Java-level namelookup cache policy for failed lookups: -# -# any negative value: cache forever -# any positive value: the number of seconds to cache negative lookup results -# zero: do not cache -# -# In some Microsoft Windows networking environments that employ -# the WINS name service in addition to DNS, name service lookups -# that fail may take a noticeably long time to return (approx. 5 seconds). -# For this reason the default caching policy is to maintain these -# results for 10 seconds. -# -# -networkaddress.cache.negative.ttl=10 - -# -# Properties to configure OCSP for certificate revocation checking -# - -# Enable OCSP -# -# By default, OCSP is not used for certificate revocation checking. -# This property enables the use of OCSP when set to the value "true". -# -# NOTE: SocketPermission is required to connect to an OCSP responder. -# -# Example, -# ocsp.enable=true - -# -# Location of the OCSP responder -# -# By default, the location of the OCSP responder is determined implicitly -# from the certificate being validated. This property explicitly specifies -# the location of the OCSP responder. The property is used when the -# Authority Information Access extension (defined in RFC 3280) is absent -# from the certificate or when it requires overriding. -# -# Example, -# ocsp.responderURL=http://ocsp.example.net:80 - -# -# Subject name of the OCSP responder's certificate -# -# By default, the certificate of the OCSP responder is that of the issuer -# of the certificate being validated. This property identifies the certificate -# of the OCSP responder when the default does not apply. Its value is a string -# distinguished name (defined in RFC 2253) which identifies a certificate in -# the set of certificates supplied during cert path validation. In cases where -# the subject name alone is not sufficient to uniquely identify the certificate -# then both the "ocsp.responderCertIssuerName" and -# "ocsp.responderCertSerialNumber" properties must be used instead. When this -# property is set then those two properties are ignored. -# -# Example, -# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp" - -# -# Issuer name of the OCSP responder's certificate -# -# By default, the certificate of the OCSP responder is that of the issuer -# of the certificate being validated. This property identifies the certificate -# of the OCSP responder when the default does not apply. Its value is a string -# distinguished name (defined in RFC 2253) which identifies a certificate in -# the set of certificates supplied during cert path validation. When this -# property is set then the "ocsp.responderCertSerialNumber" property must also -# be set. When the "ocsp.responderCertSubjectName" property is set then this -# property is ignored. -# -# Example, -# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp" - -# -# Serial number of the OCSP responder's certificate -# -# By default, the certificate of the OCSP responder is that of the issuer -# of the certificate being validated. This property identifies the certificate -# of the OCSP responder when the default does not apply. Its value is a string -# of hexadecimal digits (colon or space separators may be present) which -# identifies a certificate in the set of certificates supplied during cert path -# validation. When this property is set then the "ocsp.responderCertIssuerName" -# property must also be set. When the "ocsp.responderCertSubjectName" property -# is set then this property is ignored. -# -# Example, -# ocsp.responderCertSerialNumber=2A:FF:00 - diff -r 3b6f55f02122 -r 2a023db33371 src/share/lib/security/java.security-linux --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ openjdk/jdk/src/share/lib/security/java.security-linux Fri Oct 25 22:35:06 2013 +0100 @@ -0,0 +1,311 @@ +# +# This is the "master security properties file". +# +# In this file, various security properties are set for use by +# java.security classes. This is where users can statically register +# Cryptography Package Providers ("providers" for short). The term +# "provider" refers to a package or set of packages that supply a +# concrete implementation of a subset of the cryptography aspects of +# the Java Security API. A provider may, for example, implement one or +# more digital signature algorithms or message digest algorithms. +# +# Each provider must implement a subclass of the Provider class. +# To register a provider in this master security properties file, +# specify the Provider subclass name and priority in the format +# +# security.provider.<n>=<className> +# +# This declares a provider, and specifies its preference +# order n. The preference order is the order in which providers are +# searched for requested algorithms (when no specific provider is +# requested). The order is 1-based; 1 is the most preferred, followed +# by 2, and so on. +# +# <className> must specify the subclass of the Provider class whose +# constructor sets the values of various properties that are required +# for the Java Security API to look up the algorithms or other +# facilities implemented by the provider. +# +# There must be at least one provider specification in java.security. +# There is a default provider that comes standard with the JDK. It +# is called the "SUN" provider, and its Provider subclass +# named Sun appears in the sun.security.provider package. Thus, the +# "SUN" provider is registered via the following: +# +# security.provider.1=sun.security.provider.Sun +# +# (The number 1 is used for the default provider.) +# +# Note: Providers can be dynamically registered instead by calls to +# either the addProvider or insertProviderAt method in the Security +# class. + +# +# List of providers and their preference orders (see above): +# +security.provider.1=sun.security.provider.Sun +security.provider.2=sun.security.rsa.SunRsaSign +security.provider.3=com.sun.net.ssl.internal.ssl.Provider +security.provider.4=com.sun.crypto.provider.SunJCE +security.provider.5=sun.security.jgss.SunProvider +security.provider.6=com.sun.security.sasl.Provider +security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI +security.provider.8=sun.security.smartcardio.SunPCSC + +# +# Select the source of seed data for SecureRandom. By default an +# attempt is made to use the entropy gathering device specified by +# the securerandom.source property. If an exception occurs when +# accessing the URL then the traditional system/thread activity +# algorithm is used. +# +# On Solaris and Linux systems, if file:/dev/urandom is specified and it +# exists, a special SecureRandom implementation is activated by default. +# This "NativePRNG" reads random bytes directly from /dev/urandom. +# +# On Windows systems, the URLs file:/dev/random and file:/dev/urandom +# enables use of the Microsoft CryptoAPI seed functionality. +# +securerandom.source=file:/dev/urandom +# +# The entropy gathering device is described as a URL and can also +# be specified with the system property "java.security.egd". For example, +# -Djava.security.egd=file:/dev/urandom +# Specifying this system property will override the securerandom.source +# setting. + +# +# Class to instantiate as the javax.security.auth.login.Configuration +# provider. +# +login.configuration.provider=com.sun.security.auth.login.ConfigFile + +# +# Default login configuration file +# +#login.config.url.1=file:${user.home}/.java.login.config + +# +# Class to instantiate as the system Policy. This is the name of the class +# that will be used as the Policy object. +# +policy.provider=sun.security.provider.PolicyFile + +# The default is to have a single system-wide policy file, +# and a policy file in the user's home directory. +policy.url.1=file:${java.home}/lib/security/java.policy +policy.url.2=file:${user.home}/.java.policy + +# whether or not we expand properties in the policy file +# if this is set to false, properties (${...}) will not be expanded in policy +# files. +policy.expandProperties=true + +# whether or not we allow an extra policy to be passed on the command line +# with -Djava.security.policy=somefile. Comment out this line to disable +# this feature. +policy.allowSystemProperty=true + +# whether or not we look into the IdentityScope for trusted Identities +# when encountering a 1.1 signed JAR file. If the identity is found +# and is trusted, we grant it AllPermission. +policy.ignoreIdentityScope=false + +# +# Default keystore type. +# +keystore.type=jks + +# +# Class to instantiate as the system scope: +# +system.scope=sun.security.provider.IdentityDatabase + +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageAccess unless the +# corresponding RuntimePermission ("accessClassInPackage."+package) has +# been granted. +package.access=sun.,\ + com.sun.corba.se.impl.,\ + com.sun.xml.internal.,\ + com.sun.imageio.,\ + com.sun.istack.internal.,\ + com.sun.jmx.,\ + com.sun.proxy.,\ + com.sun.org.apache.bcel.internal.,\ + com.sun.org.apache.regexp.internal.,\ + com.sun.org.apache.xerces.internal.,\ + com.sun.org.apache.xpath.internal.,\ + com.sun.org.apache.xalan.internal.extensions.,\ + com.sun.org.apache.xalan.internal.lib.,\ + com.sun.org.apache.xalan.internal.res.,\ + com.sun.org.apache.xalan.internal.templates.,\ + com.sun.org.apache.xalan.internal.xslt.,\ + com.sun.org.apache.xalan.internal.xsltc.cmdline.,\ + com.sun.org.apache.xalan.internal.xsltc.compiler.,\ + com.sun.org.apache.xalan.internal.xsltc.trax.,\ + com.sun.org.apache.xalan.internal.xsltc.util.,\ + com.sun.org.apache.xml.internal.res.,\ + com.sun.org.apache.xml.internal.serializer.utils.,\ + com.sun.org.apache.xml.internal.utils.,\ + com.sun.org.apache.xml.internal.security.,\ + com.sun.org.glassfish.,\ + org.jcp.xml.dsig.internal. + +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageDefinition unless the +# corresponding RuntimePermission ("defineClassInPackage."+package) has +# been granted. +# +# by default, none of the class loaders supplied with the JDK call +# checkPackageDefinition. +# +package.definition=sun.,\ + com.sun.corba.se.impl.,\ + com.sun.xml.internal.,\ + com.sun.imageio.,\ + com.sun.istack.internal.,\ + com.sun.jmx.,\ + com.sun.proxy.,\ + com.sun.org.apache.bcel.internal.,\ + com.sun.org.apache.regexp.internal.,\ + com.sun.org.apache.xerces.internal.,\ + com.sun.org.apache.xpath.internal.,\ + com.sun.org.apache.xalan.internal.extensions.,\ + com.sun.org.apache.xalan.internal.lib.,\ + com.sun.org.apache.xalan.internal.res.,\ + com.sun.org.apache.xalan.internal.templates.,\ + com.sun.org.apache.xalan.internal.xslt.,\ + com.sun.org.apache.xalan.internal.xsltc.cmdline.,\ + com.sun.org.apache.xalan.internal.xsltc.compiler.,\ + com.sun.org.apache.xalan.internal.xsltc.trax.,\ + com.sun.org.apache.xalan.internal.xsltc.util.,\ + com.sun.org.apache.xml.internal.res.,\ + com.sun.org.apache.xml.internal.serializer.utils.,\ + com.sun.org.apache.xml.internal.utils.,\ + com.sun.org.apache.xml.internal.security.,\ + com.sun.org.glassfish.,\ + org.jcp.xml.dsig.internal. + +# +# Determines whether this properties file can be appended to +# or overridden on the command line via -Djava.security.properties +# +security.overridePropertiesFile=true + +# +# Determines the default key and trust manager factory algorithms for +# the javax.net.ssl package. +# +ssl.KeyManagerFactory.algorithm=SunX509 +ssl.TrustManagerFactory.algorithm=PKIX + +# +# The Java-level namelookup cache policy for successful lookups: +# +# any negative value: caching forever +# any positive value: the number of seconds to cache an address for +# zero: do not cache +# +# default value is forever (FOREVER). For security reasons, this +# caching is made forever when a security manager is set. When a security +# manager is not set, the default behavior in this implementation +# is to cache for 30 seconds. +# +# NOTE: setting this to anything other than the default value can have +# serious security implications. Do not set it unless +# you are sure you are not exposed to DNS spoofing attack. +# +#networkaddress.cache.ttl=-1 + +# The Java-level namelookup cache policy for failed lookups: +# +# any negative value: cache forever +# any positive value: the number of seconds to cache negative lookup results +# zero: do not cache +# +# In some Microsoft Windows networking environments that employ +# the WINS name service in addition to DNS, name service lookups +# that fail may take a noticeably long time to return (approx. 5 seconds). +# For this reason the default caching policy is to maintain these +# results for 10 seconds. +# +# +networkaddress.cache.negative.ttl=10 + +# +# Properties to configure OCSP for certificate revocation checking +# + +# Enable OCSP +# +# By default, OCSP is not used for certificate revocation checking. +# This property enables the use of OCSP when set to the value "true". +# +# NOTE: SocketPermission is required to connect to an OCSP responder. +# +# Example, +# ocsp.enable=true + +# +# Location of the OCSP responder +# +# By default, the location of the OCSP responder is determined implicitly +# from the certificate being validated. This property explicitly specifies +# the location of the OCSP responder. The property is used when the +# Authority Information Access extension (defined in RFC 3280) is absent +# from the certificate or when it requires overriding. +# +# Example, +# ocsp.responderURL=http://ocsp.example.net:80 + +# +# Subject name of the OCSP responder's certificate +# +# By default, the certificate of the OCSP responder is that of the issuer +# of the certificate being validated. This property identifies the certificate +# of the OCSP responder when the default does not apply. Its value is a string +# distinguished name (defined in RFC 2253) which identifies a certificate in +# the set of certificates supplied during cert path validation. In cases where +# the subject name alone is not sufficient to uniquely identify the certificate +# then both the "ocsp.responderCertIssuerName" and +# "ocsp.responderCertSerialNumber" properties must be used instead. When this +# property is set then those two properties are ignored. +# +# Example, +# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp" + +# +# Issuer name of the OCSP responder's certificate +# +# By default, the certificate of the OCSP responder is that of the issuer +# of the certificate being validated. This property identifies the certificate +# of the OCSP responder when the default does not apply. Its value is a string +# distinguished name (defined in RFC 2253) which identifies a certificate in +# the set of certificates supplied during cert path validation. When this +# property is set then the "ocsp.responderCertSerialNumber" property must also +# be set. When the "ocsp.responderCertSubjectName" property is set then this +# property is ignored. +# +# Example, +# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp" + +# +# Serial number of the OCSP responder's certificate +# +# By default, the certificate of the OCSP responder is that of the issuer +# of the certificate being validated. This property identifies the certificate +# of the OCSP responder when the default does not apply. Its value is a string +# of hexadecimal digits (colon or space separators may be present) which +# identifies a certificate in the set of certificates supplied during cert path +# validation. When this property is set then the "ocsp.responderCertIssuerName" +# property must also be set. When the "ocsp.responderCertSubjectName" property +# is set then this property is ignored. +# +# Example, +# ocsp.responderCertSerialNumber=2A:FF:00 +