Java security in IBM Domino

It has come to my knowledge that what I considered "old" (i.e. well-known) knowledge may not be that know to many people.

For some Java code to be allowed to run on a Domino server you may need to add some security settings to the java.policy file (e.g. allow access to external network ressources). This file can be found in the jvm/lib/security library. However, whenever the Domino server (and the Notes client for that matter) is upgraded (even small upgrades) this file will be overwritten!!

So you have to add your adjustments again - and as a developer you may not even know that the server was upgraded (say from 9.0 to 9.0.1). Well, this is where you will be interested in another file in the same directory: java.security. This file contains a couple of interesting lines:

# The default is to have a single system-wide policy file,
# and a policy file in the user's home directory.
policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${java.home}/lib/security/java.pol
policy.url.3=file:///${user.home}/.java.policy

Please note the second policy.url line. That means that you can add a file to the directory called "java.pol". It has the same syntax as java.policy. But the main difference is that it does not get removed on upgrades....

Updated: 25-06-2014

Mark Leusink had an issue with the above and went the extra step to verify that when you do an upgrade to Domino 9.0.1 FP1 the entire jvm/lib/security is replaced (due to an upgrade of the JVM). This will also be a problem with 9.0.2 (not released yet). So please back up your java.pol file before upgrading to either!!

You can see Mark's findings on his blog.

According to others who have run into this same issue it seems only to be related to Domino servers running on Windows.