java.security檔案
(2009-10-30 10:44:21)
标簽:
雜談
#
# This is the "master security properties file".
#
# In this file, various security properties are set for use
by
# java.security classes. This is where users can statically
register
# Cryptography Package Providers ("providers" for short). The
term
# "provider" refers to a package or set of packages that supply
a
# concrete implementation of a subset of the cryptography aspects
of
# the Java Security API. A provider may, for example, implement one
or
# more digital signature algorithms or message digest
algorithms.
#
# Each provider must implement a subclass of the Provider
class.
# To register a provider in this master security properties
file,
# specify the Provider subclass name and priority in the
format
#
# security.provider.=
#
# This declares a provider, and specifies its preference
# order n. The preference order is the order in which providers
are
# searched for requested algorithms (when no specific provider
is
# requested). The order is 1-based; 1 is the most preferred,
followed
# by 2, and so on.
#
# must specify the
subclass of the Provider class whose
# constructor sets the values of various properties that are
required
# for the Java Security API to look up the algorithms or
other
# facilities implemented by the provider.
#
# There must be at least one provider specification in
java.security.
# There is a default provider that comes standard with the JDK.
It
# is called the "SUN" provider, and its Provider subclass
# named Sun appears in the sun.security.provider package. Thus,
the
# "SUN" provider is registered via the following:
#
# security.provider.1=sun.security.provider.Sun
#
# (The number 1 is used for the default provider.)
#
# Note: Providers can be dynamically registered instead by calls
to
# either the addProvider or insertProviderAt method in the
Security
# class.
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
security.provider.6=com.sun.security.sasl.Provider
security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.8=sun.security.smartcardio.SunPCSC
security.provider.9=sun.security.mscapi.SunMSCAPI
#
# Select the source of seed data for SecureRandom. By default
an
# attempt is made to use the entropy gathering device specified
by
# the securerandom.source property. If an exception occurs
when
# accessing the URL then the traditional system/thread
activity
# algorithm is used.
#
# On Solaris and Linux systems, if file:/dev/urandom is specified
and it
# exists, a special SecureRandom implementation is activated by
default.
# This "NativePRNG" reads random bytes directly from
/dev/urandom.
#
# On Windows systems, the URLs file:/dev/random and
file:/dev/urandom
# enables use of the Microsoft CryptoAPI seed functionality.
#
securerandom.source=file:/dev/urandom
#
# The entropy gathering device is described as a URL and can
also
# be specified with the system property "java.security.egd". For
example,
# -Djava.security.egd=file:/dev/urandom
# Specifying this system property will override the
securerandom.source
# setting.
#
# Class to instantiate as the
javax.security.auth.login.Configuration
# provider.
#
login.configuration.provider=com.sun.security.auth.login.ConfigFile
#
# Default login configuration file
#
#login.config.url.1=file:${user.home}/.java.login.config
#
# Class to instantiate as the system Policy. This is the name of
the class
# that will be used as the Policy object.
#
policy.provider=sun.security.provider.PolicyFile
# The default is to have a single system-wide policy file,
# and a policy file in the user's home directory.
policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy
# whether or not we expand properties in the policy file
# if this is set to false, properties (${...}) will not be expanded
in policy
# files.
policy.expandProperties=true
# whether or not we allow an extra policy to be passed on the
command line
# with -Djava.security.policy=somefile. Comment out this line to
disable
# this feature.
policy.allowSystemProperty=true
# whether or not we look into the IdentityScope for trusted
Identities
# when encountering a 1.1 signed JAR file. If the identity is
found
# and is trusted, we grant it AllPermission.
policy.ignoreIdentityScope=false
#
# Default keystore type.
#
keystore.type=jks
#
# Class to instantiate as the system scope:
#
system.scope=sun.security.provider.IdentityDatabase
#
# List of comma-separated packages that start with or equal this
string
# will cause a security exception to be thrown when
# passed to checkPackageAccess unless the
# corresponding RuntimePermission ("accessClassInPackage."+package)
has
# been granted.
package.access=sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.
#
# List of comma-separated packages that start with or equal this
string
# will cause a security exception to be thrown when
# passed to checkPackageDefinition unless the
# corresponding RuntimePermission ("defineClassInPackage."+package)
has
# been granted.
#
# by default, no packages are restricted for definition, and none
of
# the class loaders supplied with the JDK call
checkPackageDefinition.
#
#package.definition=
#
# Determines whether this properties file can be appended to
# or overridden on the command line via
-Djava.security.properties
#
security.overridePropertiesFile=true
#
# Determines the default key and trust manager factory algorithms
for
# the javax.net.ssl package.
#
ssl.KeyManagerFactory.algorithm=SunX509
ssl.TrustManagerFactory.algorithm=PKIX
#
# The Java-level namelookup cache policy for successful
lookups:
#
# any negative value: caching forever
# any positive value: the number of seconds to cache an address
for
# zero: do not cache
#
# default value is forever (FOREVER). For security reasons,
this
# caching is made forever when a security manager is set. When a
security
# manager is not set, the default behavior is to cache for 30
seconds.
#
# NOTE: setting this to anything other than the default value can
have
# serious security implications. Do not set it unless
# you are sure you are not exposed to DNS spoofing attack.
#
#networkaddress.cache.ttl=-1
# The Java-level namelookup cache policy for failed lookups:
#
# any negative value: cache forever
# any positive value: the number of seconds to cache negative
lookup results
# zero: do not cache
#
# In some Microsoft Windows networking environments that
employ
# the WINS name service in addition to DNS, name service
lookups
# that fail may take a noticeably long time to return (approx. 5
seconds).
# For this reason the default caching policy is to maintain
these
# results for 10 seconds.
#
#
networkaddress.cache.negative.ttl=10
#
# Properties to configure OCSP for certificate revocation
checking
#
#線上證書狀态協定(OCSP)是兩種維護伺服器和其它網絡資源安全的普通方法之一。
#另一個比較舊的方法是證書吊銷清單(CRL),有些情況下可以代替OCSP。
# Enable OCSP
#
# By default, OCSP is not used for certificate revocation
checking.
# This property enables the use of OCSP when set to the value
"true".
#
# NOTE: SocketPermission is required to connect to an OCSP
responder.
#
# Example,
# ocsp.enable=true
#
# Location of the OCSP responder
#
# By default, the location of the OCSP responder is determined
implicitly
# from the certificate being validated. This property explicitly
specifies
# the location of the OCSP responder. The property is used when
the
# Authority Information Access extension (defined in RFC 3280) is
absent
# from the certificate or when it requires overriding.
#
# Example,
# ocsp.responderURL=http://ocsp.example.net:80
#
# Subject name of the OCSP responder's certificate
#
# By default, the certificate of the OCSP responder is that of the
issuer
# of the certificate being validated. This property identifies the
certificate
# of the OCSP responder when the default does not apply. Its value
is a string
# distinguished name (defined in RFC 2253) which identifies a
certificate in
# the set of certificates supplied during cert path validation. In
cases where
# the subject name alone is not sufficient to uniquely identify the
certificate
# then both the "ocsp.responderCertIssuerName" and
# "ocsp.responderCertSerialNumber" properties must be used instead.
When this
# property is set then those two properties are ignored.
#
# Example,
# ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
#
# Issuer name of the OCSP responder's certificate
#
# By default, the certificate of the OCSP responder is that of the
issuer
# of the certificate being validated. This property identifies the
certificate
# of the OCSP responder when the default does not apply. Its value
is a string
# distinguished name (defined in RFC 2253) which identifies a
certificate in
# the set of certificates supplied during cert path validation.
When this
# property is set then the "ocsp.responderCertSerialNumber"
property must also
# be set. When the "ocsp.responderCertSubjectName" property is set
then this
# property is ignored.
#
# Example,
# ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
#
# Serial number of the OCSP responder's certificate
#
# By default, the certificate of the OCSP responder is that of the
issuer
# of the certificate being validated. This property identifies the
certificate
# of the OCSP responder when the default does not apply. Its value
is a string
# of hexadecimal digits (colon or space separators may be present)
which
# identifies a certificate in the set of certificates supplied
during cert path
# validation. When this property is set then the
"ocsp.responderCertIssuerName"
# property must also be set. When the
"ocsp.responderCertSubjectName" property
# is set then this property is ignored.
#
# Example,
# ocsp.responderCertSerialNumber=2A:FF:00
分享:
喜歡
贈金筆
加載中,請稍候......
評論加載中,請稍候...
發評論
登入名: 密碼: 找回密碼 注冊記住登入狀态
昵 稱:
評論并轉載此博文
發評論
以上網友發言隻代表其個人觀點,不代表新浪網的觀點或立場。