8016848: javax_security/auth/login tests fail in compact 1 and 2 profiles
Summary: Change the default value of the "login.configuration.provider" security property to sun.security.provider.ConfigFile
Reviewed-by: xuelei
## This is the "master security properties file".## An alternate java.security properties file may be specified# from the command line via the system property## -Djava.security.properties=<URL>## This properties file appends to the master security properties file.# If both properties files specify values for the same key, the value# from the command-line properties file is selected, as it is the last# one loaded.## Also, if you specify## -Djava.security.properties==<URL> (2 equals),## then that properties file completely overrides the master security# properties file.## To disable the ability to specify an additional properties file from# the command line, set the key security.overridePropertiesFile# to false in the master security properties file. It is set to true# by default.# In this file, various security properties are set for use by# java.security classes. This is where users can statically register# Cryptography Package Providers ("providers" for short). The term# "provider" refers to a package or set of packages that supply a# concrete implementation of a subset of the cryptography aspects of# the Java Security API. A provider may, for example, implement one or# more digital signature algorithms or message digest algorithms.## Each provider must implement a subclass of the Provider class.# To register a provider in this master security properties file,# specify the Provider subclass name and priority in the format## security.provider.<n>=<className>## This declares a provider, and specifies its preference# order n. The preference order is the order in which providers are# searched for requested algorithms (when no specific provider is# requested). The order is 1-based; 1 is the most preferred, followed# by 2, and so on.## <className> must specify the subclass of the Provider class whose# constructor sets the values of various properties that are required# for the Java Security API to look up the algorithms or other# facilities implemented by the provider.## There must be at least one provider specification in java.security.# There is a default provider that comes standard with the JDK. It# is called the "SUN" provider, and its Provider subclass# named Sun appears in the sun.security.provider package. Thus, the# "SUN" provider is registered via the following:## security.provider.1=sun.security.provider.Sun## (The number 1 is used for the default provider.)## Note: Providers can be dynamically registered instead by calls to# either the addProvider or insertProviderAt method in the Security# class.## List of providers and their preference orders (see above):#security.provider.1=sun.security.provider.Sunsecurity.provider.2=sun.security.rsa.SunRsaSignsecurity.provider.3=sun.security.ec.SunECsecurity.provider.4=com.sun.net.ssl.internal.ssl.Providersecurity.provider.5=com.sun.crypto.provider.SunJCEsecurity.provider.6=sun.security.jgss.SunProvidersecurity.provider.7=com.sun.security.sasl.Providersecurity.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRIsecurity.provider.9=sun.security.smartcardio.SunPCSC## Sun Provider SecureRandom seed source.## Select the primary source of seed data for the "SHA1PRNG" and# "NativePRNG" SecureRandom implementations in the "Sun" provider.# (Other SecureRandom implementations might also use this property.)## On Unix-like systems (for example, Solaris/Linux/MacOS), the# "NativePRNG" and "SHA1PRNG" implementations obtains seed data from# special device files such as file:/dev/random.## On Windows systems, specifying the URLs "file:/dev/random" or# "file:/dev/urandom" will enable the native Microsoft CryptoAPI seeding# mechanism for SHA1PRNG.## By default, an attempt is made to use the entropy gathering device# specified by the "securerandom.source" Security property. If an# exception occurs while accessing the specified URL:## SHA1PRNG:# the traditional system/thread activity algorithm will be used.## NativePRNG:# a default value of /dev/random will be used. If neither# are available, the implementation will be disabled.# "file" is the only currently supported protocol type.## The entropy gathering device can also be specified with the System# property "java.security.egd". For example:## % java -Djava.security.egd=file:/dev/random MainClass## Specifying this System property will override the# "securerandom.source" Security property.## In addition, if "file:/dev/random" or "file:/dev/urandom" is# specified, the "NativePRNG" implementation will be more preferred than# SHA1PRNG in the Sun provider.#securerandom.source=file:/dev/random## A list of known strong SecureRandom implementations.## To help guide applications in selecting a suitable strong# java.security.SecureRandom implementation, Java distributions should# indicate a list of known strong implementations using the property.## This is a comma-separated list of algorithm and/or algorithm:provider# entries.#securerandom.strongAlgorithms=NativePRNGBlocking:SUN## Class to instantiate as the javax.security.auth.login.Configuration# provider.#login.configuration.provider=sun.security.provider.ConfigFile## Default login configuration file##login.config.url.1=file:${user.home}/.java.login.config## Class to instantiate as the system Policy. This is the name of the class# that will be used as the Policy object.#policy.provider=sun.security.provider.PolicyFile# The default is to have a single system-wide policy file,# and a policy file in the user's home directory.policy.url.1=file:${java.home}/lib/security/java.policypolicy.url.2=file:${user.home}/.java.policy# whether or not we expand properties in the policy file# if this is set to false, properties (${...}) will not be expanded in policy# files.policy.expandProperties=true# whether or not we allow an extra policy to be passed on the command line# with -Djava.security.policy=somefile. Comment out this line to disable# this feature.policy.allowSystemProperty=true# whether or not we look into the IdentityScope for trusted Identities# when encountering a 1.1 signed JAR file. If the identity is found# and is trusted, we grant it AllPermission.policy.ignoreIdentityScope=false## Default keystore type.#keystore.type=jks## List of comma-separated packages that start with or equal this string# will cause a security exception to be thrown when# passed to checkPackageAccess unless the# corresponding RuntimePermission ("accessClassInPackage."+package) has# been granted.package.access=sun.,\ com.sun.xml.internal.,\ com.sun.imageio.,\ com.sun.istack.internal.,\ com.sun.jmx.,\ com.sun.proxy.,\ com.sun.org.apache.bcel.internal.,\ com.sun.org.apache.regexp.internal.,\ com.sun.org.apache.xerces.internal.,\ com.sun.org.apache.xpath.internal.,\ com.sun.org.apache.xalan.internal.extensions.,\ com.sun.org.apache.xalan.internal.lib.,\ com.sun.org.apache.xalan.internal.res.,\ com.sun.org.apache.xalan.internal.templates.,\ com.sun.org.apache.xalan.internal.utils.,\ com.sun.org.apache.xalan.internal.xslt.,\ com.sun.org.apache.xalan.internal.xsltc.cmdline.,\ com.sun.org.apache.xalan.internal.xsltc.compiler.,\ com.sun.org.apache.xalan.internal.xsltc.trax.,\ com.sun.org.apache.xalan.internal.xsltc.util.,\ com.sun.org.apache.xml.internal.res.,\ com.sun.org.apache.xml.internal.security.,\ com.sun.org.apache.xml.internal.serializer.utils.,\ com.sun.org.apache.xml.internal.utils.,\ com.sun.org.glassfish.,\ com.oracle.xmlns.internal.,\ com.oracle.webservices.internal.,\ oracle.jrockit.jfr.,\ org.jcp.xml.dsig.internal.,\ jdk.internal.,\ jdk.nashorn.internal.,\ jdk.nashorn.tools.## List of comma-separated packages that start with or equal this string# will cause a security exception to be thrown when# passed to checkPackageDefinition unless the# corresponding RuntimePermission ("defineClassInPackage."+package) has# been granted.## by default, none of the class loaders supplied with the JDK call# checkPackageDefinition.#package.definition=sun.,\ com.sun.xml.internal.,\ com.sun.imageio.,\ com.sun.istack.internal.,\ com.sun.jmx.,\ com.sun.proxy.,\ com.sun.org.apache.bcel.internal.,\ com.sun.org.apache.regexp.internal.,\ com.sun.org.apache.xerces.internal.,\ com.sun.org.apache.xpath.internal.,\ com.sun.org.apache.xalan.internal.extensions.,\ com.sun.org.apache.xalan.internal.lib.,\ com.sun.org.apache.xalan.internal.res.,\ com.sun.org.apache.xalan.internal.templates.,\ com.sun.org.apache.xalan.internal.utils.,\ com.sun.org.apache.xalan.internal.xslt.,\ com.sun.org.apache.xalan.internal.xsltc.cmdline.,\ com.sun.org.apache.xalan.internal.xsltc.compiler.,\ com.sun.org.apache.xalan.internal.xsltc.trax.,\ com.sun.org.apache.xalan.internal.xsltc.util.,\ com.sun.org.apache.xml.internal.res.,\ com.sun.org.apache.xml.internal.security.,\ com.sun.org.apache.xml.internal.serializer.utils.,\ com.sun.org.apache.xml.internal.utils.,\ com.sun.org.glassfish.,\ com.oracle.xmlns.internal.,\ com.oracle.webservices.internal.,\ oracle.jrockit.jfr.,\ org.jcp.xml.dsig.internal.,\ jdk.internal.,\ jdk.nashorn.internal.,\ jdk.nashorn.tools.## Determines whether this properties file can be appended to# or overridden on the command line via -Djava.security.properties#security.overridePropertiesFile=true## Determines the default key and trust manager factory algorithms for# the javax.net.ssl package.#ssl.KeyManagerFactory.algorithm=SunX509ssl.TrustManagerFactory.algorithm=PKIX## The Java-level namelookup cache policy for successful lookups:## any negative value: caching forever# any positive value: the number of seconds to cache an address for# zero: do not cache## default value is forever (FOREVER). For security reasons, this# caching is made forever when a security manager is set. When a security# manager is not set, the default behavior in this implementation# is to cache for 30 seconds.## NOTE: setting this to anything other than the default value can have# serious security implications. Do not set it unless# you are sure you are not exposed to DNS spoofing attack.##networkaddress.cache.ttl=-1# The Java-level namelookup cache policy for failed lookups:## any negative value: cache forever# any positive value: the number of seconds to cache negative lookup results# zero: do not cache## In some Microsoft Windows networking environments that employ# the WINS name service in addition to DNS, name service lookups# that fail may take a noticeably long time to return (approx. 5 seconds).# For this reason the default caching policy is to maintain these# results for 10 seconds.##networkaddress.cache.negative.ttl=10## Properties to configure OCSP for certificate revocation checking## Enable OCSP## By default, OCSP is not used for certificate revocation checking.# This property enables the use of OCSP when set to the value "true".## NOTE: SocketPermission is required to connect to an OCSP responder.## Example,# ocsp.enable=true## Location of the OCSP responder## By default, the location of the OCSP responder is determined implicitly# from the certificate being validated. This property explicitly specifies# the location of the OCSP responder. The property is used when the# Authority Information Access extension (defined in RFC 3280) is absent# from the certificate or when it requires overriding.## Example,# ocsp.responderURL=http://ocsp.example.net:80## Subject name of the OCSP responder's certificate## By default, the certificate of the OCSP responder is that of the issuer# of the certificate being validated. This property identifies the certificate# of the OCSP responder when the default does not apply. Its value is a string# distinguished name (defined in RFC 2253) which identifies a certificate in# the set of certificates supplied during cert path validation. In cases where# the subject name alone is not sufficient to uniquely identify the certificate# then both the "ocsp.responderCertIssuerName" and# "ocsp.responderCertSerialNumber" properties must be used instead. When this# property is set then those two properties are ignored.## Example,# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"## Issuer name of the OCSP responder's certificate## By default, the certificate of the OCSP responder is that of the issuer# of the certificate being validated. This property identifies the certificate# of the OCSP responder when the default does not apply. Its value is a string# distinguished name (defined in RFC 2253) which identifies a certificate in# the set of certificates supplied during cert path validation. When this# property is set then the "ocsp.responderCertSerialNumber" property must also# be set. When the "ocsp.responderCertSubjectName" property is set then this# property is ignored.## Example,# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"## Serial number of the OCSP responder's certificate## By default, the certificate of the OCSP responder is that of the issuer# of the certificate being validated. This property identifies the certificate# of the OCSP responder when the default does not apply. Its value is a string# of hexadecimal digits (colon or space separators may be present) which# identifies a certificate in the set of certificates supplied during cert path# validation. When this property is set then the "ocsp.responderCertIssuerName"# property must also be set. When the "ocsp.responderCertSubjectName" property# is set then this property is ignored.## Example,# ocsp.responderCertSerialNumber=2A:FF:00## Policy for failed Kerberos KDC lookups:## When a KDC is unavailable (network error, service failure, etc), it is# put inside a blacklist and accessed less often for future requests. The# value (case-insensitive) for this policy can be:## tryLast# KDCs in the blacklist are always tried after those not on the list.## tryLess[:max_retries,timeout]# KDCs in the blacklist are still tried by their order in the configuration,# but with smaller max_retries and timeout values. max_retries and timeout# are optional numerical parameters (default 1 and 5000, which means once# and 5 seconds). Please notes that if any of the values defined here is# more than what is defined in krb5.conf, it will be ignored.## Whenever a KDC is detected as available, it is removed from the blacklist.# The blacklist is reset when krb5.conf is reloaded. You can add# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is# reloaded whenever a JAAS authentication is attempted.## Example,# krb5.kdc.bad.policy = tryLast# krb5.kdc.bad.policy = tryLess:2,2000krb5.kdc.bad.policy = tryLast# Algorithm restrictions for certification path (CertPath) processing## In some environments, certain algorithms or key lengths may be undesirable# for certification path building and validation. For example, "MD2" is# generally no longer considered to be a secure hash algorithm. This section# describes the mechanism for disabling algorithms based on algorithm name# and/or key length. This includes algorithms used in certificates, as well# as revocation information such as CRLs and signed OCSP Responses.## The syntax of the disabled algorithm string is described as this Java# BNF-style:# DisabledAlgorithms:# " DisabledAlgorithm { , DisabledAlgorithm } "## DisabledAlgorithm:# AlgorithmName [Constraint]## AlgorithmName:# (see below)## Constraint:# KeySizeConstraint## KeySizeConstraint:# keySize Operator DecimalInteger## Operator:# <= | < | == | != | >= | >## DecimalInteger:# DecimalDigits## DecimalDigits:# DecimalDigit {DecimalDigit}## DecimalDigit: one of# 1 2 3 4 5 6 7 8 9 0## The "AlgorithmName" is the standard algorithm name of the disabled# algorithm. See "Java Cryptography Architecture Standard Algorithm Name# Documentation" for information about Standard Algorithm Names. Matching# is performed using a case-insensitive sub-element matching rule. (For# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and# "ECDSA" for signatures.) If the assertion "AlgorithmName" is a# sub-element of the certificate algorithm name, the algorithm will be# rejected during certification path building and validation. For example,# the assertion algorithm name "DSA" will disable all certificate algorithms# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion# will not disable algorithms related to "ECDSA".## A "Constraint" provides further guidance for the algorithm being specified.# The "KeySizeConstraint" requires a key of a valid size range if the# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the# key size specified in number of bits. For example, "RSA keySize <= 1024"# indicates that any RSA key with key size less than or equal to 1024 bits# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates# that any RSA key with key size less than 1024 or greater than 2048 should# be disabled. Note that the "KeySizeConstraint" only makes sense to key# algorithms.## Note: This property is currently used by Oracle's PKIX implementation. It# is not guaranteed to be examined and used by other implementations.## Example:# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048##jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024# Algorithm restrictions for Secure Socket Layer/Transport Layer Security# (SSL/TLS) processing## In some environments, certain algorithms or key lengths may be undesirable# when using SSL/TLS. This section describes the mechanism for disabling# algorithms during SSL/TLS security parameters negotiation, including cipher# suites selection, peer authentication and key exchange mechanisms.## For PKI-based peer authentication and key exchange mechanisms, this list# of disabled algorithms will also be checked during certification path# building and validation, including algorithms used in certificates, as# well as revocation information such as CRLs and signed OCSP Responses.# This is in addition to the jdk.certpath.disabledAlgorithms property above.## See the specification of "jdk.certpath.disabledAlgorithms" for the# syntax of the disabled algorithm string.## Note: This property is currently used by Oracle's JSSE implementation.# It is not guaranteed to be examined and used by other implementations.## Example:# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048