2008-01-31

Java needs to check the validity of its security policy files better

So I have been spending today trying to get an application to run under a security policy file from an Ant build file. Not exactly a complex task. And yet neither the policy file nor the Ant build file seem to have enough error checking when they are used to make sure that there are not any stupid typos.

Take the policy file for instance. The JVM makes sure it is well-formed. But if you have a Permission object listed that does not exist, there is absolutely no warning about that fact. You would think that the failure to instantiate an object would be an error, especially for something like a security policy file, but apparently not. And you can't rely on policytool since it won't let you use some substitution string as the code base location (I have my Ant build files generate the policy file as needed to make it completely platform-independent).

And for Ant build and property files, there is no checks to make sure that properties actually exist by default. So if you have a slight typo in a property name for string replacement you won't know because it will just evaluate to the empty string. You can run in verbose or debug mode, but the amount of output is a bit much.

I can't believe I am having to consider writing a verification tool for Java security policy files that makes sure that the thing has no typos. At least it would give me an excuse to learn more Jython.