On Thu, 9 Apr 2026 10:28:18 GMT, Severin Gehwolf <[email protected]> wrote:
>> This is a new jlink plugin which allows the user to specify values of >> security properties it wants to override in the `java.security` >> configuration file in a custom runtime image. This enhancement, along with >> [the `cacerts` jlink plugin](https://github.com/openjdk/jdk/pull/29700) >> allow users to more easily create runtimes that address the specific >> security requirements of their applications. >> >> The command-line syntax takes a file containing properties that the user >> wants to override. >> >> For example: >> >> >> jlink --security-properties props.security >> >> >> where `props.security` is a file containing one more more properties in the >> `java.security` file syntax. > > src/jdk.jlink/share/classes/jdk/tools/jlink/internal/plugins/SecurityPropertiesPlugin.java > line 89: > >> 87: throw new IllegalArgumentException( >> 88: "the include property is not supported"); >> 89: } > > Why is this being treated specially? It makes the use-cases of using this > `jlink` plugin more limited to editing the file in place (or using some > post-processor). It would break some of the use cases we have with system > crypto policies where this plugin would come in handy: > > Consider this use case: > Take a generic JDK build that is about to being used to integrate with system > crypto policies (see > [JDK-8319332](https://bugs.openjdk.org/browse/JDK-8319332)) on some systems. > The generic JDK build is also being used elsewhere where this isn't being > done. The system policies are maintained by the OS and live in > `/etc/crypto-policies/back-ends/java.config`, say. A custom `jlink` > invocation including all modules with `--security-properties extra` could > achieve this when `extra` contained > `include=/etc/crypto-policies/back-ends/java.config`. The benefit of using > this over `--security-properties /etc/crypto-policies/back-ends/java.config` > is that the system policy file could be updated async to the `jlink` command > being run. The main issue I see with supporting the `include` directive is that its position relative to other properties is important. This is described in the [CSR](https://bugs.openjdk.org/browse/JDK-8319333): The effect of each definition is to include a referred security properties file inline, adding all its properties. Security properties defined before an include statement may be overridden by properties in the included file, if their names match. Conversely, properties defined after an include statement may override properties in the included file. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/30635#discussion_r3059220826
