C Environment Variables and System Properties

In many environments the command line is not readily accessible to start the application with necessary command-line options. This often arises with applications that use embedded VMs (meaning they use the Java Native Interface (JNI) Invocation API to start the VM), or where the startup is deeply nested in scripts. In these environments the JAVA_TOOL_OPTIONS environment variable can be useful to augment a command line.

When this environment variable is set, the JNI_CreateJavaVM function (in the JNI Invocation API) prepends the value of the environment variable to the options supplied in its JavaVMInitArgs argument.

This environment variable allows you to specify the initialization of tools, specifically the launching of native or Java programming language agents using the -agentlib or -javaagent options. In the following example the environment variable is set so that the HPROF profiler is launched when the application is started:

$ export JAVA_TOOL_OPTIONS="-agentlib:hprof"

This variable can also be used to augment the command line with other options for diagnostic purposes. For example, you can supply the -XX:OnError option to specify a script or command to be executed when a fatal error occurs.

Since this environment variable is examined at the time the JNI_CreateJavaVM function is called, it cannot be used to augment the command line with options that would normally be handled by the launcher, for example, VM selection using the -client option or the -server option.

For more information on using the JAVA_TOOL_OPTIONS environment variable, see the "JAVA_TOOL_OPTIONS" section of the JVM Tool Interface documentation at

This system property controls whether the security system of the Java Runtime Environment (JRE) prints trace messages during execution. This option can be useful when diagnosing an issue involving a security manager when a SecurityException is thrown.

The java.security.debug property can have the following values:

access

Print all checkPermission results.

The following additional options can be specified with the access option:

stack

Include stack trace.

domain

Dump all domains in context.

failure

Before throwing an exception, dump the stack and domain that did not have permission.

jar

Print JAR verification information.

policy

Print policy information.

scl

Print permissions that SecureClassLoader assigns.

For example, to print all checkPermission results and trace all domains in context, set the java.security.debug property to access,stack. To trace access failures, set the property to access,failure.

The following example shows the output of a checkPermission failure:

$ java -Djava.security.debug="access,failure" MyApp
access denied (java.net.SocketPermission server.foobar.com resolve
)
java.lang.Exception: Stack trace
    at java.lang.Thread.dumpStack(Thread.java:1158)
    at java.security.AccessControlContext.checkPermission
                          (AccessControlContext.java:253)
    at java.security.AccessController.checkPermission(AccessController.java:427)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
    at java.lang.SecurityManager.checkConnect(SecurityManager.java:1031)
    at java.net.InetAddress.getAllByName0(InetAddress.java:1117)
    at java.net.InetAddress.getAllByName0(InetAddress.java:1098)
    at java.net.InetAddress.getAllByName(InetAddress.java:1061)
    at java.net.InetAddress.getByName(InetAddress.java:958)
    at java.net.InetSocketAddress.<init>(InetSocketAddress.java:124)
    at java.net.Socket.<init>(Socket.java:178)
    at MyApp.main(MyApp.java:7)

For more information on the java.security.debug system property, see the "Troubleshooting Security" section of the Java SE Security documentation at