Providing JCE policies without patching the JRE

Question

In my project I had some issues with cryptography which I fixed by using "JCE Unlimited Strength Jurisdiction Policy Files". On local machine I just replaced some JARs in the jre/lib/security directory. However, I also need my project to build (to be precise, to run tests) on a continuous integration build server (Teamcity in my case, but I guess it's not very important), which means patching jars in the JRE directory of every build agent, which is not a good option at all.

Is there a way of specifying these JCE policies without patching the JRE?

Answer 1

Okay, I was actually able to bypass the policies using java reflection: How to avoid installing "Unlimited Strength" JCE policy files when deploying an application?

Looks like a dirty hack, but does work and doesn't require any licensing, signing and all that stuff.

Answer 2

According to the Java Cryptography Architecture (JCA) Reference Guide under How to Make Applications "Exempt" from Cryptographic Restrictions, you could bundle a policy file stating exemptions with your application's JAR, but the JAR must then be signed and it is not even sure that Oracle's default crypto providers support this:

(NOTE: The SunJCE provider does not supply an implementation of the ExemptionMechanismSpi class.)

Needless to say, I have not tested this way... ;) This looks way more complicated than replacing two files. I always installed the jurisdiction policy files on all my JVMs, but I use the Debian Alternatives System to have those files automatically replace the ones provided with the JDK. That makes upgrades much less painful.