1

I've defined some parameters to file /usr/lib/jvm/jre-8-oracle-x64/lib/security/java.security to comply JAVA security settings with our security policy. Some parameter I have edited are

security.overridePropertiesFile=false
jdk.tls.disabledAlgorithms= ...
jdk.certpath.disabledAlgorithms=MD2,...

It is unclear to me if a developer could set custom parameter in an application, does the JVM enforce these parameters or can they be overridden ?

I've seen there this question already about Java security Policy but I'm my case I just want the system-policy to be applied.

Community
  • 1
Baptiste Mille-Mathias
  • 679
  • 2
  • 8
  • 26
  • 1
    To prevent users overwrite security settings you can create a [policy](http://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html) that only allow read [security properties](http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#SecurityPermission). – Federico Sierra Aug 04 '16 at 01:10
  • @FedericoSierra it seems to be code-related (I've updated the question), and my question was certainly unclear. I rephrased it. – Baptiste Mille-Mathias Aug 04 '16 at 17:10
  • 1
    To prevent users from specifying additional policy files, you can set the `policy.expandProperties` property to false, remove the users `.java.policy` entry, and makes the `java.security` file read only by the end users. With this you can established a sanbox that cannot be modified by end users. – Federico Sierra Aug 04 '16 at 18:21
  • Can I find some example code to run to validate the enforcement is respected ? – Baptiste Mille-Mathias Aug 08 '16 at 12:20

0 Answers0