On Wed, 8 Apr 2026 19:47:13 GMT, Sean Mullan <[email protected]> wrote:
> This is a new jlink plugin which allows the user to specify values of > security properties it wants to override in the `java.security` configuration > file in a custom runtime image. This enhancement, along with [the `cacerts` > jlink plugin](https://github.com/openjdk/jdk/pull/29700) allow users to more > easily create runtimes that address the specific security requirements of > their applications. > > The command-line syntax takes a file containing properties that the user > wants to override. > > For example: > > > jlink --security-properties props.security > > > where `props.security` is a file containing one more more properties in the > `java.security` file syntax. src/jdk.jlink/share/classes/jdk/tools/jlink/internal/plugins/SecurityPropertiesPlugin.java line 89: > 87: throw new IllegalArgumentException( > 88: "the include property is not supported"); > 89: } Why is this being treated specially? It makes the use-cases of using this `jlink` plugin more limited to editing the file in place (or using some post-processor). It would break some of the use cases we have with system crypto policies where this plugin would come in handy: Consider this use case: Take a generic JDK build that is about to being used to integrate with system crypto policies (see [JDK-8319332](https://bugs.openjdk.org/browse/JDK-8319332)) on some systems. The generic JDK build is also being used elsewhere where this isn't being done. The system policies are maintained by the OS and live in `/etc/crypto-policies/back-ends/java.config`, say. A custom `jlink` invocation including all modules with `--security-properties extra` could achieve this when `extra` contained `include=/etc/crypto-policies/back-ends/java.config`. The benefit of using this over `--security-properties /etc/crypto-policies/back-ends/java.config` is that the system policy file could be updated async to the `jlink` command being run. src/jdk.jlink/share/classes/jdk/tools/jlink/internal/plugins/SecurityPropertiesPlugin.java line 127: > 125: String propValue = props.remove(propName.trim()); > 126: if (propValue != null) { > 127: // skip multi-line values Suggestion: // skip multi-line values in original test/jdk/tools/jlink/plugins/SecurityPropertiesPluginTest.java line 1: > 1: /* With this patch to the file the test becomes runnable with JEP 493 enabled as well (it's currently skipped). diff --git a/test/jdk/tools/jlink/plugins/SecurityPropertiesPluginTest.java b/test/jdk/tools/jlink/plugins/SecurityPropertiesPluginTest.java index 697816a2dc3..8d40dc60048 100644 --- a/test/jdk/tools/jlink/plugins/SecurityPropertiesPluginTest.java +++ b/test/jdk/tools/jlink/plugins/SecurityPropertiesPluginTest.java @@ -27,6 +27,7 @@ import java.util.Map; import java.util.Properties; +import jdk.tools.jlink.internal.LinkableRuntimeImage; import jtreg.SkippedException; import jdk.test.lib.Asserts; import tests.Helper; @@ -35,10 +36,11 @@ * @bug 8377819 * @summary Test the --security-properties plugin * @library ../../lib /test/lib - * @modules java.base/jdk.internal.jimage + * @modules jdk.jlink/jdk.tools.jlink.internal + * java.base/jdk.internal.jimage * jdk.jlink/jdk.tools.jimage * @build tests.* - * @run main SecurityPropertiesPluginTest + * @run main/othervm SecurityPropertiesPluginTest */ public class SecurityPropertiesPluginTest { @@ -47,10 +49,11 @@ public class SecurityPropertiesPluginTest { private static String SECPROPS_PATH = "conf/security/java.security"; private static String TEST_DIR = System.getProperty("test.dir", "."); + private static final boolean LINKABLE_RUNTIME = LinkableRuntimeImage.isLinkableRuntime(); public static void main(String[] args) throws Throwable { - helper = Helper.newHelper(); + helper = Helper.newHelper(LINKABLE_RUNTIME); if (helper == null) { throw new SkippedException("Test not run"); } ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/30635#discussion_r3057120762 PR Review Comment: https://git.openjdk.org/jdk/pull/30635#discussion_r3057640082 PR Review Comment: https://git.openjdk.org/jdk/pull/30635#discussion_r3057731356
