Check java.policy at Build Time to Avoid Runtime Errors

he changes to Java's security implementation have made it more robust and introduced more programmatic hooks for developers to add to Java's default security mechanisms. Oddly, even with the introduction of Java Authentication and Authorization Services (JAAS) and its subsequent inclusion in the core API as of JDK 1.4, Java security still relies on a structured text format for its core configuration files: java.security and java.policy. While it is well known that there is a certain amount of overhead to parse XML files, the idiosyncratic layout of a security "grant block" in java.policy means that there are no standard tools to effectively verify its syntactic correctness at build time.

If your security needs are minor, your policy file simple, and your team is small, then it is unlikely that you view this as a serious shortcoming. However, if your environment and security needs are complex, and your team is fairly large then there is ample opportunity to inadvertently introduce syntactic errors into the java.policy file that won't be recognized until runtime. While extending the Policy class to be backed by an XML file is an option, frequently Sun's default implementation is what is relied upon and this leaves open the possibility of runtime issues arising with the java.policy file.