Packaging JRE 11 - missing security policy

[Robert-Adelard]

Hello,

I configured SetupBuilder to include JRE 11.0.17 with my application, but my application failed to initialise:

Caused by: java.lang.SecurityException: Can't read cryptographic policy directory: unlimited at java.base/javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:326)

I suspect this is because the bundled JRE doesn't include the conf/security/policy folder, or because java.security.properties is not set correctly:

https://stackoverflow.com/questions/58182231/openjdk-11-error-can-not-initialize-cryptographic-mechanism

Please advise.

Thanks.

Robert

[Horcrux7]

SetupBuilder does not differentiate between individual JRE/SDK files. All files in the specified directory are actually packed.

• How you setup the bundled Java VM?
• Are you sure that your original Java VM has the missing file?
• Has the file different file access permission that SetupBuilder can't read it?
• Is the file java.security.properties the only difference between the source Java VM and installed Java VM?

[Robert-Adelard]

Thank you for your reply - sorry for the delay in responding. To answer your questions:

1. How you setup the bundled the bundled Java VM?

Here is the relevant extract from my build.gradle file:

setupBuilder {
    ...
    bundleJre = "11.0.17"
    mainClass = 'org.springframework.boot.loader.WarLauncher'
    mainJar = "${archiveFileName}"

    dmg {
        architecture = ["arm64"]
    }
    ...
}

2. Are you sure that your original Java VM has the missing file?

Yes - here is the output from gradle dmg:

Task :application:dmg
	Starting the build.
	Running the build.
	Preparing 0 services.
	BuildDir now: /Users/rjs/.../application/build/tmp/dmg
	Command: "/usr/libexec/java_home" "-v" "11.0.17" "-F" 
	bundle JRE: /Library/Java/JavaVirtualMachines/jdk-11.0.17.jdk/Contents/Home`

Here is a screenshot showing the contents of the JDK 11.0.17 Home directory, which includes the missing file:

3. Has the file different file access permission that SetupBuilder can't read it?

No - I've checked permissions and all the files / directories in the JDK home directory are world readable / searchable.

4. Is the file java.security.properties the only difference between the source Java VM and installed Java VM?

No - most of the Java home directory has not been copied. Here is a screen shot that shows the content of the application bundle:

[Robert-Adelard]

Looking at a previous version of my application, which was bunded with JDK 8, it looks as though SetupBuilder does a partial copy of the contents of the jre folder, specifically, jre/bin/java and jre/lib.

My JDK 11 folder does not contain a jre folder, so SetupBuilder copies the contents of bin\java and lib.

Unfortunately, the missing security policy is contained in conf/security/policy, which is not copied.

For JDK 8, the security policy is contained in jre/lib/security/policy, which explains why JDK 8 works and JDK 11 does not.

[gamma]

Can you please try and add the following entries:

dmg {
    jreIncludes = [ '**' ]
    jreExcludes = [ '**/legal/**' ]
}

[Robert-Adelard]

Apparently Java 11 is no longer distributed with a JRE:

The whole structure with Java 11 has changed. Java is now a modular platform, where you can create your own "JRE" distribution with specifically the modules that you need to run your application.

https://stackoverflow.com/questions/53733312/where-is-jre-11

So I may have to find or build my own JRE...

[gamma]

For that, check out the Temurin project. They have JREs and JDKs for every platform. We're using their VMs successfully, but we do rebuild the JRE from the JDK.

[Robert-Adelard]

Thanks @gamma - adding the jreIncludes fixed the problem, but it might be better to use a custom JRE to avoid distributing the entire JDK with my application.

[Robert-Adelard]

I notice that jreIncludes and jreExcludes only apply to the dmg task, which is for building MacOS installers - would they not be useful for building installers on Windows and Linux too?

[Horcrux7]

I am the Windows developer of the plugin. I don't see the point of this include and exclude of files of the JDK, as the operating system does not add magic folders/files to the JDK directory. If you want a reduced Java runtime environment, it is better to reduce the Java VM to the required files and point to the directory where it is located.

Typically, the custom JDK is downloaded from a dependency repository such as Maven or Ivy. All developer and build nodes then include the same JDK in the setup.