Improved compatibility and properly packaged jre

jre/macos/customjre/conf/jaxp.properties

@@ -0,0 +1,180 @@
+################################################################################
+#           JAXP Configuration File
+#
+# jaxp.properties (this file) is the default configuration file for JAXP, the API
+# defined in the java.xml module. It is in java.util.Properties format and typically
+# located in the {java.home}/conf directory. It may contain key/value pairs for
+# specifying the implementation classes of JAXP factories and/or properties
+# that have corresponding system properties.
+#
+# A user-specified configuration file can be set up using the system property
+# java.xml.config.file to override any or all of the entries in jaxp.properties.
+# The following statement provides myConfigurationFile as a custom configuration
+# file:
+#     java -Djava.xml.config.file=myConfigurationFile
+################################################################################
+
+# ---- JAXP Default Configuration ----
+#
+# The JAXP default configuration (jaxp.properties) contains entries for the
+# Factory Lookup Mechanism and properties with corresponding system properties.
+# The values are generally set to the default values of the properties.
+#
+#
+# JAXP Lookup Mechanism:
+#
+# The JAXP configuration file ranks 2nd to the System Property in the precedent
+# order of the JAXP Lookup Mechanism. When the System Property is not specified,
+# a JAXP factory reads the configuration file in order to locate an implementation
+# class. If found, the class specified will be used as the factory implementation
+# class.
+#
+# The format of an entry is key=value where the key is the fully qualified name
+# of the factory and value that of the implementation class. The following entry
+# set a DocumentBuilderFactory implementation class:
+#
+# javax.xml.parsers.DocumentBuilderFactory=com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl
+#
+#
+# Java SE and JDK Implementation Specific Properties:
+#
+# The JAXP configuration file ranks above the default settings in the Property
+# Precedence in that its entries will override the default values of the corresponding
+# properties.
+#
+# All properties that have System Properties defined in Java SE or supported
+# by the JDK Implementation can be placed in the configuration file to override
+# the default property values. The format is:
+#     system-property-name=value
+#
+# For example, the FILES property in CatalogFeatures has an associated system
+# property called javax.xml.catalog.files. An entry for the FILES property in the
+# configuration file would therefore use javax.xml.catalog.files as the key, that
+# is:
+#     javax.xml.catalog.files=strict
+#
+#
+# Extension Functions:
+#
+# This property determines whether XSLT and XPath extension functions are allowed.
+# The value type is boolean and the default value is true (allowing
+# extension functions). The following entry would override the default value and
+# disallow extension functions:
+#
+# jdk.xml.enableExtensionFunctions=false
+#
+#
+# Overriding the default parser:
+#
+# This property allows using a third party implementation to override the default
+# parser provided by the JDK. The value type is boolean and the default value is
+# false, disallowing overriding the default parser. The setting below reflects
+# the default property setting:
+#
+jdk.xml.overrideDefaultParser=false
+#
+#
+# External Access Properties:
+#
+# The External Access Properties are defined in javax.xml.XMLConstants. Their
+# system properties are javax.xml.accessExternalDTD, javax.xml.accessExternalSchema,
+# and javax.xml.accessExternalStylesheet. The values are a list of protocols separated
+# by comma, plus empty string ("") to represent no protocol allowed and the key
+# word "all" for all access. The default is "all", allowing all external resources
+# to be fetched. The followings are example of external access settings:
+#
+# allow local (file) DTDs to be retrieved
+# javax.xml.accessExternalDTD=file
+#
+# allow local (file) and remote (http) external schemas
+# javax.xml.accessExternalSchema=file, http
+#
+# reject any external stylesheets
+# javax.xml.accessExternalStylesheet=""
+#
+# allow all external stylesheets
+# javax.xml.accessExternalStylesheet="all"
+#
+#
+# Catalog Properties:
+#
+# The Catalog API defines four features: FILES, PREFER, DEFER and RESOLVE.
+# Except PREFER, all other properties can be placed in the configuration file
+# using the system properties defined for them.
+#
+# FILES: A semicolon-delimited list of URIs to locate the catalog files. The URIs
+# must be absolute and have a URL protocol handler for the URI scheme. The following
+# is an example of setting up a catalog file:
+#
+# javax.xml.catalog.files = file:///users/auser/catalog/catalog.xml
+#
+# DEFER: Indicates that the alternative catalogs including those specified in
+# delegate entries or nextCatalog are not read until they are needed. The value
+# is a boolean and the default value is true.
+#
+# javax.xml.catalog.defer=true
+#
+# RESOLVE: Determines the action if there is no matching entry found after all of
+# the specified catalogs are exhausted. The values are key words: strict, continue,
+# and ignore. The default is strict. The following setting reflects the default
+# setting.
+#
+# javax.xml.catalog.resolve=strict
+#
+#
+# useCatalog:
+# This property instructs XML processors to use XML Catalogs to resolve entity
+# references. The value is a boolean and the default value is true.
+#
+# javax.xml.useCatalog=true
+#
+#
+# Implementation Specific Properties - Limits
+#
+# Limits have a value type Integer. The values must be positive integers. Zero
+# means no limit.
+#
+# Limits the number of entity expansions. The default value is 64000
+# jdk.xml.entityExpansionLimit=64000
+#
+# Limits the total size of all entities that include general and parameter entities.
+# The size is calculated as an aggregation of all entities. The default value is 5x10^7.
+# jdk.xml.totalEntitySizeLimit=5E7
+#
+# Limits the maximum size of any general entities. The default value is 0.
+# jdk.xml.maxGeneralEntitySizeLimit=0
+#
+# Limits the maximum size of any parameter entities, including the result of
+# nesting multiple parameter entities. The default value is 10^6.
+# jdk.xml.maxParameterEntitySizeLimit=1E6
+#
+# Limits the total number of nodes in all entity references. The default value is 3x10^6.
+# jdk.xml.entityReplacementLimit=3E6
+#
+# Limits the number of attributes an element can have. The default value is 10000.
+# jdk.xml.elementAttributeLimit=10000
+#
+# Limits the number of content model nodes that may be created when building a
+# grammar for a W3C XML Schema that contains maxOccurs attributes with values
+# other than "unbounded". The default value is 5000.
+# jdk.xml.maxOccurLimit=5000
+#
+# Limits the maximum element depth. The default value is 0.
+# jdk.xml.maxElementDepth=0
+#
+# Limits the maximum size of XML names, including element name, attribute name
+# and namespace prefix and URI. The default value is 1000.
+jdk.xml.maxXMLNameLimit=1000
+#
+#
+# XPath Limits
+#
+# Limits the number of groups an XPath expression can contain. The default value is 10.
+jdk.xml.xpathExprGrpLimit=10
+#
+# Limits the number of operators an XPath expression can contain. The default value is 100.
+jdk.xml.xpathExprOpLimit=100
+#
+# Limits the total number of XPath operators in an XSL Stylesheet. The default value is 10000.
+jdk.xml.xpathTotalOpLimit=10000
+

jre/macos/customjre/conf/logging.properties

@@ -0,0 +1,63 @@
+############################################################
+#  	Default Logging Configuration File
+#
+# You can use a different file by specifying a filename
+# with the java.util.logging.config.file system property.
+# For example, java -Djava.util.logging.config.file=myfile
+############################################################
+
+############################################################
+#  	Global properties
+############################################################
+
+# "handlers" specifies a comma-separated list of log Handler
+# classes.  These handlers will be installed during VM startup.
+# Note that these classes must be on the system classpath.
+# By default we only configure a ConsoleHandler, which will only
+# show messages at the INFO and above levels.
+handlers= java.util.logging.ConsoleHandler
+
+# To also add the FileHandler, use the following line instead.
+#handlers= java.util.logging.FileHandler, java.util.logging.ConsoleHandler
+
+# Default global logging level.
+# This specifies which kinds of events are logged across
+# all loggers.  For any given facility this global level
+# can be overridden by a facility-specific level
+# Note that the ConsoleHandler also has a separate level
+# setting to limit messages printed to the console.
+.level= INFO
+
+############################################################
+# Handler specific properties.
+# Describes specific configuration info for Handlers.
+############################################################
+
+# default file output is in user's home directory.
+java.util.logging.FileHandler.pattern = %h/java%u.log
+java.util.logging.FileHandler.limit = 50000
+java.util.logging.FileHandler.count = 1
+# Default number of locks FileHandler can obtain synchronously.
+# This specifies maximum number of attempts to obtain lock file by FileHandler
+# implemented by incrementing the unique field %u as per FileHandler API documentation.
+java.util.logging.FileHandler.maxLocks = 100
+java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter
+
+# Limit the messages that are printed on the console to INFO and above.
+java.util.logging.ConsoleHandler.level = INFO
+java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
+
+# Example to customize the SimpleFormatter output format
+# to print one-line log message like this:
+#     <level>: <log message> [<date/time>]
+#
+# java.util.logging.SimpleFormatter.format=%4$s: %5$s [%1$tc]%n
+
+############################################################
+# Facility-specific properties.
+# Provides extra control for each logger.
+############################################################
+
+# For example, set the com.xyz.foo logger to only log SEVERE
+# messages:
+# com.xyz.foo.level = SEVERE

jre/macos/customjre/conf/net.properties

@@ -0,0 +1,147 @@
+############################################################
+#       Default Networking Configuration File
+#
+# This file may contain default values for the networking system properties.
+# These values are only used when the system properties are not specified
+# on the command line or set programmatically.
+# For now, only the various proxy settings can be configured here.
+############################################################
+
+# Whether or not the DefaultProxySelector will default to System Proxy
+# settings when they do exist.
+# Set it to 'true' to enable this feature and check for platform
+# specific proxy settings
+# Note that the system properties that do explicitly set proxies
+# (like http.proxyHost) do take precedence over the system settings
+# even if java.net.useSystemProxies is set to true.
+
+java.net.useSystemProxies=false
+
+#------------------------------------------------------------------------
+# Proxy configuration for the various protocol handlers.
+# DO NOT uncomment these lines if you have set java.net.useSystemProxies
+# to true as the protocol specific properties will take precedence over
+# system settings.
+#------------------------------------------------------------------------
+
+# HTTP Proxy settings. proxyHost is the name of the proxy server
+# (e.g. proxy.mydomain.com), proxyPort is the port number to use (default
+# value is 80) and nonProxyHosts is a '|' separated list of hostnames which
+# should be accessed directly, ignoring the proxy server (default value is
+# localhost & 127.0.0.1).
+#
+# http.proxyHost=
+# http.proxyPort=80
+http.nonProxyHosts=localhost|127.*|[::1]
+#
+# HTTPS Proxy Settings. proxyHost is the name of the proxy server
+# (e.g. proxy.mydomain.com), proxyPort is the port number to use (default
+# value is 443). The HTTPS protocol handlers uses the http nonProxyHosts list.
+#
+# https.proxyHost=
+# https.proxyPort=443
+#
+# FTP Proxy settings. proxyHost is the name of the proxy server
+# (e.g. proxy.mydomain.com), proxyPort is the port number to use (default
+# value is 80) and nonProxyHosts is a '|' separated list of hostnames which
+# should be accessed directly, ignoring the proxy server (default value is
+# localhost & 127.0.0.1).
+#
+# ftp.proxyHost=
+# ftp.proxyPort=80
+ftp.nonProxyHosts=localhost|127.*|[::1]
+#
+# Socks proxy settings. socksProxyHost is the name of the proxy server
+# (e.g. socks.domain.com), socksProxyPort is the port number to use
+# (default value is 1080)
+#
+# socksProxyHost=
+# socksProxyPort=1080
+#
+# HTTP Keep Alive settings. remainingData is the maximum amount of data
+# in kilobytes that will be cleaned off the underlying socket so that it
+# can be reused (default value is 512K), queuedConnections is the maximum
+# number of Keep Alive connections to be on the queue for clean up (default
+# value is 10).
+# http.KeepAlive.remainingData=512
+# http.KeepAlive.queuedConnections=10
+
+# Authentication Scheme restrictions for HTTP and HTTPS.
+#
+# In some environments certain authentication schemes may be undesirable
+# when proxying HTTP or HTTPS.  For example, "Basic" results in effectively the
+# cleartext transmission of the user's password over the physical network.
+# This section describes the mechanism for disabling authentication schemes
+# based on the scheme name. Disabled schemes will be treated as if they are not
+# supported by the implementation.
+#
+# The 'jdk.http.auth.tunneling.disabledSchemes' property lists the authentication
+# schemes that will be disabled when tunneling HTTPS over a proxy, HTTP CONNECT.
+# The 'jdk.http.auth.proxying.disabledSchemes' property lists the authentication
+# schemes that will be disabled when proxying HTTP.
+#
+# In both cases the property is a comma-separated list of, case-insensitive,
+# authentication scheme names, as defined by their relevant RFCs. An
+# implementation may, but is not required to, support common schemes whose names
+# include: 'Basic', 'Digest', 'NTLM', 'Kerberos', 'Negotiate'.  A scheme that
+# is not known, or not supported, by the implementation is ignored.
+#
+# Note: This property is currently used by the JDK Reference implementation. It
+# is not guaranteed to be examined and used by other implementations.
+#
+#jdk.http.auth.proxying.disabledSchemes=
+jdk.http.auth.tunneling.disabledSchemes=Basic
+
+#
+# Allow restricted HTTP request headers
+#
+# By default, the following request headers are not allowed to be set by user code
+# in HttpRequests: "connection", "content-length", "expect", "host" and "upgrade".
+# The 'jdk.httpclient.allowRestrictedHeaders' property allows one or more of these
+# headers to be specified as a comma separated list to override the default restriction.
+# The names are case-insensitive and white-space is ignored (removed before processing
+# the list). Note, this capability is mostly intended for testing and isn't expected
+# to be used in real deployments. Protocol errors or other undefined behavior is likely
+# to occur when using them. The property is not set by default.
+# Note also, that there may be other headers that are restricted from being set
+# depending on the context. This includes the "Authorization" header when the
+# relevant HttpClient has an authenticator set. These restrictions cannot be
+# overridden by this property.
+#
+# jdk.httpclient.allowRestrictedHeaders=host
+#
+#
+# Transparent NTLM HTTP authentication mode on Windows. Transparent authentication
+# can be used for the NTLM scheme, where the security credentials based on the
+# currently logged in user's name and password can be obtained directly from the
+# operating system, without prompting the user. This property has three possible
+# values which regulate the behavior as shown below. Other unrecognized values
+# are handled the same as 'disabled'. Note, that NTLM is not considered to be a
+# strongly secure authentication scheme and care should be taken before enabling
+# this mechanism.
+#
+# Transparent authentication never used.
+#jdk.http.ntlm.transparentAuth=disabled
+#
+# Enabled for all hosts.
+#jdk.http.ntlm.transparentAuth=allHosts
+#
+# Enabled for hosts that are trusted in Windows Internet settings
+#jdk.http.ntlm.transparentAuth=trustedHosts
+#
+jdk.http.ntlm.transparentAuth=disabled
+#
+# Default directory where automatically bound Unix domain server
+# sockets are stored. Sockets are automatically bound when bound
+# with a null address.
+#
+# On Unix the search order to determine this directory is:
+#
+# 1. System property jdk.net.unixdomain.tmpdir
+#
+# 2. Networking property jdk.net.unixdomain.tmpdir specified
+#    in this file (effective default)
+#
+# 3. System property java.io.tmpdir
+#
+jdk.net.unixdomain.tmpdir=/tmp

jre/macos/customjre/conf/security/java.policy

@@ -0,0 +1,46 @@
+//
+// This system policy file grants a set of default permissions to all domains
+// and can be configured to grant additional permissions to modules and other
+// code sources. The code source URL scheme for modules linked into a
+// run-time image is "jrt".
+//
+// For example, to grant permission to read the "foo" property to the module
+// "com.greetings", the grant entry is:
+//
+// grant codeBase "jrt:/com.greetings" {
+//     permission java.util.PropertyPermission "foo", "read";
+// };
+//
+
+// default permissions granted to all domains
+grant {
+    // allows anyone to listen on dynamic ports
+    permission java.net.SocketPermission "localhost:0", "listen";
+
+    // "standard" properties that can be read by anyone
+    permission java.util.PropertyPermission "java.version", "read";
+    permission java.util.PropertyPermission "java.vendor", "read";
+    permission java.util.PropertyPermission "java.vendor.url", "read";
+    permission java.util.PropertyPermission "java.class.version", "read";
+    permission java.util.PropertyPermission "os.name", "read";
+    permission java.util.PropertyPermission "os.version", "read";
+    permission java.util.PropertyPermission "os.arch", "read";
+    permission java.util.PropertyPermission "file.separator", "read";
+    permission java.util.PropertyPermission "path.separator", "read";
+    permission java.util.PropertyPermission "line.separator", "read";
+    permission java.util.PropertyPermission
+                   "java.specification.version", "read";
+    permission java.util.PropertyPermission
+                   "java.specification.maintenance.version", "read";
+    permission java.util.PropertyPermission "java.specification.vendor", "read";
+    permission java.util.PropertyPermission "java.specification.name", "read";
+    permission java.util.PropertyPermission
+                   "java.vm.specification.version", "read";
+    permission java.util.PropertyPermission
+                   "java.vm.specification.vendor", "read";
+    permission java.util.PropertyPermission
+                   "java.vm.specification.name", "read";
+    permission java.util.PropertyPermission "java.vm.version", "read";
+    permission java.util.PropertyPermission "java.vm.vendor", "read";
+    permission java.util.PropertyPermission "java.vm.name", "read";
+};

jre/macos/customjre/conf/security/policy/README.txt

@@ -0,0 +1,54 @@
+
+            Java(TM) Cryptography Extension Policy Files
+    for the Java(TM) Platform, Standard Edition Runtime Environment
+
+                               README
+------------------------------------------------------------------------
+
+Import and export control rules on cryptographic software vary from
+country to country.  The Java Cryptography Extension (JCE) architecture
+allows flexible cryptographic key strength to be configured via the
+jurisdiction policy files which are referenced by the "crypto.policy"
+security property in the <java-home>/conf/security/java.security file.
+
+By default, Java provides two different sets of cryptographic policy
+files:
+
+    unlimited:  These policy files contain no restrictions on cryptographic
+                strengths or algorithms
+
+    limited:    These policy files contain more restricted cryptographic
+                strengths
+
+These files reside in <java-home>/conf/security/policy in the "unlimited"
+or "limited" subdirectories respectively.
+
+Each subdirectory contains a complete policy configuration,
+and subdirectories can be added/edited/removed to reflect your
+import or export control product requirements.
+
+Within a subdirectory, the effective policy is the combined minimum
+permissions of the grant statements in the file(s) matching the filename
+pattern "default_*.policy".  At least one grant is required.  For example:
+
+    limited   =  Export (all) + Import (limited)  =  Limited
+    unlimited =  Export (all) + Import (all)      =  Unlimited
+
+The effective exemption policy is the combined minimum permissions
+of the grant statements in the file(s) matching the filename pattern
+"exempt_*.policy".  Exemption grants are optional.  For example:
+
+    limited   =  grants exemption permissions, by which the
+                 effective policy can be circumvented.
+                 e.g.  KeyRecovery/KeyEscrow/KeyWeakening.
+
+Please see the Java Cryptography Architecture (JCA) documentation for
+additional information on these files and formats.
+
+YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY
+TO DETERMINE THE EXACT REQUIREMENTS.
+
+Please note that the JCE for Java SE, including the JCE framework,
+cryptographic policy files, and standard JCE providers provided with
+the Java SE, have been reviewed and approved for export as mass market
+encryption item by the US Bureau of Industry and Security.

jre/macos/customjre/conf/security/policy/limited/default_US_export.policy

@@ -0,0 +1,6 @@
+// Default US Export policy file.
+
+grant {
+    // There is no restriction to any algorithms.
+    permission javax.crypto.CryptoAllPermission; 
+};

jre/macos/customjre/conf/security/policy/limited/default_local.policy

@@ -0,0 +1,14 @@
+// Some countries have import limits on crypto strength. This policy file
+// is worldwide importable.
+
+grant {
+    permission javax.crypto.CryptoPermission "DES", 64;
+    permission javax.crypto.CryptoPermission "DESede", *;
+    permission javax.crypto.CryptoPermission "RC2", 128, 
+                                     "javax.crypto.spec.RC2ParameterSpec", 128;
+    permission javax.crypto.CryptoPermission "RC4", 128;
+    permission javax.crypto.CryptoPermission "RC5", 128, 
+          "javax.crypto.spec.RC5ParameterSpec", *, 12, *;
+    permission javax.crypto.CryptoPermission "RSA", *;
+    permission javax.crypto.CryptoPermission *, 128;
+};

jre/macos/customjre/conf/security/policy/limited/exempt_local.policy

@@ -0,0 +1,13 @@
+// Some countries have import limits on crypto strength, but may allow for
+// these exemptions if the exemption mechanism is used.
+
+grant {
+    // There is no restriction to any algorithms if KeyRecovery is enforced.
+    permission javax.crypto.CryptoPermission *, "KeyRecovery"; 
+
+    // There is no restriction to any algorithms if KeyEscrow is enforced.
+    permission javax.crypto.CryptoPermission *, "KeyEscrow"; 
+
+    // There is no restriction to any algorithms if KeyWeakening is enforced. 
+    permission javax.crypto.CryptoPermission *, "KeyWeakening";
+};

jre/macos/customjre/conf/security/policy/unlimited/default_US_export.policy

@@ -0,0 +1,6 @@
+// Default US Export policy file.
+
+grant {
+    // There is no restriction to any algorithms.
+    permission javax.crypto.CryptoAllPermission; 
+};

jre/macos/customjre/conf/security/policy/unlimited/default_local.policy

@@ -0,0 +1,6 @@
+// Country-specific policy file for countries with no limits on crypto strength.
+
+grant {
+    // There is no restriction to any algorithms.
+    permission javax.crypto.CryptoAllPermission; 
+};