14.2. Debugging Security Policy Issues

You can enable debugging information to help you troubleshoot security policy-related issues. The java.security.debug option configures the level of security-related information reported.
The command java -Djava.security.debug=help will produce help output with the full range of debugging options. Setting the debug level to all is useful when troubleshooting a security-related failure whose cause is completely unknown, but for general use it will produce too much information. A sensible general default is access:failure .

Procedure 14.2. Enable general debugging

This procedure will enable a sensible general level of security-related debug information.
  • Add the following line to the file run.conf (Linux), or run.conf.bat (Windows):
    Linux

    JAVA_OPTS="$JAVA_OPTS -Djava.security.debug=access:failure"

    Windows

    JAVA_OPTS="%JAVA_OPTS% -Djava.security.debug=access:failure"

14.2.1. Debugging Security Manager

Note

The Debugging Security Manager was introduced with JBoss Enterprise Application Platform 5.1
The Debugging Security Manager org.jboss.system.security.DebuggingJavaSecurityManager prints out the protection domain corresponding to a failing permission. This additional information is very useful information when debugging permissions problems.

Procedure 14.3. Enable the Debugging Security Manager

This procedure will enable the Debugging Security Manager.
  1. Add the following option to $JBOSS_HOME/bin/run.conf (Linux) or $JBOSS_HOME/bin/run.conf.bat. See Configuration File for the location of this file.
    Linux

    JAVA_OPTS="$JAVA_OPTS -Djava.security.manager=org.jboss.system.security.DebuggingJavaSecurityManager"

    Windows

    JAVA_OPTS="%JAVA_OPTS% -Djava.security.manager=org.jboss.system.security.DebuggingJavaSecurityManager"

  2. Comment out all other java.security.manager references in the file.
  3. Ensure that the file still contains a java.security.policy option specifying the policy file to use
  4. Enable general debugging following the instruction in Procedure 14.2, “Enable general debugging”.

Note

The Debugging Security Manager has a significance performance cost. Do not use it in general production.