Troubleshooting Security (original) (raw)
To monitor security access, you can set the java.security.debugsystem property, which determines what trace messages are printed during execution. To view security properties, security providers, and TLS-related settings, specify the -XshowSettings:security option in thejava command.
To see a list of all debugging options, use the help option as follows._MyApp_ is any Java application. The javacommand prints the debugging options and then exits before running_MyApp_.
java -Djava.security.debug=help MyApp
Note:
- To use more than one option, separate options with a comma.
- JSSE also provides dynamic debug tracing support for SSL/TLS See Debugging Utilities.
The following table lists java.security.debug options and links to further information about each option:
| Option | Description | Further Information |
|---|---|---|
| all | Turn on all debugging | None |
| access | Print all results from the AccessController.checkPermission method. You can use the following options with the accessoption: stack: Include stack trace domain: Dump all domains in context failure: Before throwing exception, dump stack and domain that do not have permission You can use the following options with the stackand domain options: permission=: Only dump output if specified permission is being checked codebase=: Only dump output if specified codebase is being checked | Permissions |
| certpath | Turns on debugging for the PKIX CertPathValidator and CertPathBuilderimplementations.You can use the following options with the certpath option: ocsp: Dump OCSP protocol exchanges. A hexadecimal dump of the OCSP request and response bytes is displayed. verbose: Print additional debugging information | Java PKI Programmer's Guide |
| combiner | SubjectDomainCombinerdebugging | Permissions |
| configfile | JAAS (Java Authentication and Authorization Service) configuration file loading | Java Authentication and Authorization Service (JAAS) Reference Guide Use of JAAS Login Utility and Java GSS-API for Secure Message Exchanges |
| configparser | JAAS configuration file parsing | Java Authentication and Authorization Service (JAAS) Reference Guide Use of JAAS Login Utility and Java GSS-API for Secure Message Exchanges |
| gssloginconfig | Java GSS (Generic Security Services) login configuration file debugging | Java Generic Security Services: (Java GSS) and Kerberos Introduction to JAAS and Java GSS-API Tutorials javax.security.auth.login.Configuration: A Configuration object is responsible for specifying whichLoginModulesshould be used for a particular application, and in what order theLoginModules should be invoked. JAAS Login Configuration File Advanced Security Programming in Java SE Authentication, Secure Communication and Single Sign-On |
| jar | JAR file verification | Verifying Signed JAR Files from The Java Tutorials Note: Use the System propertyjdk.jar.maxSignatureFileSize to specify the maximum size, in bytes, of signature files in a signed JAR. Its default value is 16000000(16 MB). |
| jca | JCA engine class debugging | Engine Classes and Algorithms |
| keystore | Keystore debugging | Key Management The KeyStore class |
| logincontext | LoginContextresults | Permissions |
| pcsc | Java Smart Card I/O and SunPCSC provider debugging | TheSunPCSC Provider and thejavax.smartcardiopackage |
| pkcs11 | PKCS11 session manager debugging | PKCS#11 Reference Guide |
| pkcs11keystore | PKCS11 KeyStore debugging | PKCS#11 Reference Guide |
| pkcs12 | PKCS12 KeyStore debugging | None |
| policy | Loading and granting permissions with policy file | Set up the Policy File to Grant the Required Permissions (Controlling Applications) from The Java Tutorials Set up a Policy File to Grant the Required Permission (Controlling Applets) from The Java Tutorials policytool (Solaris or macOS) policytool (Windows) Default Policy Implementation and Policy File Syntax |
| properties | java.security configuration file debugging | None |
| provider | Security provider debuggingYou can use the engine= option with theprovider option: The output is displayed only for a specified list of JCA engines. The supported values for__ are: Cipher KeyAgreement KeyGenerator KeyPairGenerator KeyStore Mac MessageDigest SecureRandom Signature | The Security Manager from The Java Tutorials |
| scl | Permissions SecureClassLoaderassigns | Permissions |
| sunpkcs11 | SunPKCS11 provider debugging | PKCS#11 Reference Guide |
| ts | Timestamping debugging | None |
| x509 | X.509 certificate debugging | X.509 Certificates and Certificate Revocation Lists (CRLs) |
The java -XshowSettings:security Option
You can specify the option -XshowSettings:security option in thejava command to view security properties, security providers, and TLS-related settings. The option shows third-party security provider details if they are included in the application class path and such providers are configured in the java.security file.
In addition, you can specify-XshowSettings🪪_<subcategory>_ where_<subcategory>_ is one of the following:
all: show all security settingsproperties: show security propertiesproviders: show static security provider settingstls: show TLS-related security settings