What is java -djava.security.policy?

What is Java? You may often hear about it but you do not know what it is. Well, as quoted from Wikipedia, Java is a programming language which is object-oriented and class-based. It is created to have as few implementation dependencies as possible. This programming language is intended to allow application developers to be able to write once, run anywhere which means that compiled Java code can run all platforms that support Java without the need for recompilation. Now, what about java security policy? You are able to read the explanation below.

According to Oracle, Policy object represents the policy for a Java programming language application environment. More specifically, it is represented by a Policy subclass which provides an implementation of the abstract methods in the Policy class which is in the java.security package. The place of the source for the policy information utilized by the Policy object is up to the Policy implementation. From static policy configuration files, the Policy reference implementation gets its information.

What is java -djava.security.policy

If you access Oracle, you will also be able to find information about using the Java Security Manager, setting up it and also modifying the weblogic.policy file for general use. As explained on that site that you are able to use a Java security manager with a Weblogic server to provide additional protection for resources in a Java Virtual Machine or JVM. If you use a Java Security Manager, it is an optional security step.

If you execute WebLogic server under Java 2, WebLogic server is able to utilize the Java security manager in Java 2 which avoids code which is untrusted from doing actions that are limited by the Java security policy file. There is a security mechanism in the JVM which is built into it. It permits you to be able to define restrictions to code through a Java security policy file. The Java security manager utilizes the Java security policy file to be able to enforce a set of permissions which are given to classes. The permissions allows specified classes which run in that instance of the JVM to be able to allow or not allow certain runtime operations. There are a lot of cases where the thread model does not include malicious code being run in the JVM, the Java security manager is not needed. But, if the third-parties utilizes WebLogic server and unknown classes are being run, the Java security manager may be beneficial.

If you want to use the Java security manager with WebLogic server, you have to specify the -Djava.security.policy argument when you begin WebLogic server. The -Djava.security.policy argument specifies a filename. It does it by using a relative or fully-qualified pathname which has Java 2 security policies. WebLogic server has a sample Java security policy file which you are able to edit and use. The file can be found in the  WL_HOME\server\lib\weblogic.policy.

In case the Java security manager is allowed by you but a security policy file is not specified by you, you need to note that the Java security manager utilizes the default security policies which defined in the java.security and java.policy files in the directory of $JAVA_HOME/jre/lib/security.

If you want to use the Java security manager security policy file with your WebLogic server deployment, you are able to set the arguments below on the Java command line when you begin WebLogic server.

  • java.security.manager. It tells  the JVM to utilize a Java security policy file.
  • java.security.policy. It tells the JVM the location of the Java security policy file to use. The argument is the name of the Java security policy which is fully qualified, in this case, weblogic.policy.

You are able to see the example below as taken from Oracle.

$ java…-Djava.security.manager


You have to make sure that you use == instead of = when you specify the java.security policy argument. So, only the weblogic.policy file which is used by the Java security manager. The == makes the weblogic.policy file to override any default security policy. If you use a single equal sign “=”, it will make the weblogic.policy file to be appended to the security policy which exists.

In case you have more directories in your classpath or you are deploying applications in extra directories, you are able to add specific permissions for these directories to your weblogic.policy file. BEA suggests you to take these precautions:

  • You have to make a backup copy of the weblogic.policy file and then you have to put the backup copy in a secure location.
  • You have to set the permissions on the weblogic.policy file for the operating system file so that the administrator of the weblogic server deployment has write and read privileges and also there are no other users who have access to the files.

It is important for you to know that the Java security manager is partially disabled when the booting of administration and managed servers. When the boot sequence is happening, the current Java security manager will be disabled and it will be replaced with a variation of the Java security manager which has the checkRead method disabled. You need to know that disabling this method can improve the performance of the boot sequence. However, you also need to note that it also minimally diminishes security. The startup classes for weblogic server are run with this partially disblaed Java security manager. So, the classes must be carefully scrutinized for security considerations which involve the reading of files.

You need to note that you are not able to modify security policies for web applications. According to Oracles, you have to set default security policies for EJBs and J2EE Connector Resource Adapters in the Java security policy. The security policies which are default for EJBs, and Resource Adapters are defined in the Java security policy file under the codebases that you are able to see below.

  • EJBs—”file:/weblogic/application/defaults/EJB”
  • Resource Adapters—”file:/weblogic/application/defaults/Connectors”

These security policies apply to all EJBs and Resource Adapters which are deployed in that certain instance of weblogic server.

Well, that’s the information that we are able to give to you about Java -djava.security.policy. We are sorry if this writing has a lot of lack. If you need more information about djava.security.policy, you are able to read the other sources or you can access some forums for getting more information from others.