Regular Expressions 101

Save & Share

  • Regex Version: ver. 1
  • Update Regex
    ctrl+⇧+s
  • Save new Regex
    ctrl+s
  • Add to Community Library

Flavor

  • PCRE2 (PHP >=7.3)
  • PCRE (PHP <7.3)
  • ECMAScript (JavaScript)
  • Python
  • Golang
  • Java 8
  • .NET 7.0 (C#)
  • Rust
  • Regex Flavor Guide

Function

  • Match
  • Substitution
  • List
  • Unit Tests

Tools

Sponsors
There are currently no sponsors. Become a sponsor today!
An explanation of your regex will be automatically generated as you type.
Detailed match information will be displayed here automatically.
  • All Tokens
  • Common Tokens
  • General Tokens
  • Anchors
  • Meta Sequences
  • Quantifiers
  • Group Constructs
  • Character Classes
  • Flags/Modifiers
  • Substitution
  • A single character of: a, b or c
    [abc]
  • A character except: a, b or c
    [^abc]
  • A character in the range: a-z
    [a-z]
  • A character not in the range: a-z
    [^a-z]
  • A character in the range: a-z or A-Z
    [a-zA-Z]
  • Any single character
    .
  • Alternate - match either a or b
    a|b
  • Any whitespace character
    \s
  • Any non-whitespace character
    \S
  • Any digit
    \d
  • Any non-digit
    \D
  • Any word character
    \w
  • Any non-word character
    \W
  • Non-capturing group
    (?:...)
  • Capturing group
    (...)
  • Zero or one of a
    a?
  • Zero or more of a
    a*
  • One or more of a
    a+
  • Exactly 3 of a
    a{3}
  • 3 or more of a
    a{3,}
  • Between 3 and 6 of a
    a{3,6}
  • Start of string
    ^
  • End of string
    $
  • A word boundary
    \b
  • Non-word boundary
    \B

Regular Expression
No Match

r"
"
gm

Test String

Code Generator

Language

Generated Code

import java.util.regex.Matcher; import java.util.regex.Pattern; public class Example { public static void main(String[] args) { final String regex = "^\\d+$"; final String string = "This is the \"master security properties file\".\n" + "#\n" + "this \n" + "# An alternate java.security properties file may be specified\n" + "# from the command line via the system property\n" + "#\n" + "# -Djava.security.properties=<URL>\n" + "#\n" + "# This properties file appends to the master security properties file.\n" + "# If both properties files specify values for the same key, the value\n" + "# from the command-line properties file is selected, as it is the last\n" + "# one loaded.\n" + "#\n" + "a\n" + "#\n" + "# -Djava.security.properties==<URL> (2 equals),\n" + "#\n" + "# then that properties file completely overrides the master security\n" + "# properties file.\n" + "#\n" + "# To disable the ability to specify an additional properties file from\n" + "# the command line, set the key security.overridePropertiesFile\n" + "# to false in the master security properties file. It is set to true\n" + "# by default.\n" + "#\n" + "# If this properties file fails to load, the JDK implementation will throw\n" + "# an unspecified error when initializing the java.security.Security class.\n\n" + "# In this file, various security properties are set for use by\n" + "# java.security classes. This is where users can statically register\n" + "# Cryptography Package Providers (\"providers\" for short). The term\n" + "# \"provider\" refers to a package or set of packages that supply a\n" + "# concrete implementation of a subset of the cryptography aspects of\n" + "# the Java Security API. A provider may, for example, implement one or\n" + "# more digital signature algorithms or message digest algorithms.\n" + "#\n" + "# Each provider must implement a subclass of the Provider class.\n" + "# To register a provider in this master security properties file,\n" + "# specify the provider and priority in the format\n" + "#\n" + "# security.provider.<n>=<provName | className>\n" + "#\n" + "# This declares a provider, and specifies its preference\n" + "# order n. The preference order is the order in which providers are\n" + "# searched for requested algorithms (when no specific provider is\n" + "# requested). The order is 1-based; 1 is the most preferred, followed\n" + "# by 2, and so on.\n" + "#\n" + "# <provName> must specify the name of the Provider as passed to its super\n" + "# class java.security.Provider constructor. This is for providers loaded\n" + "# through the ServiceLoader mechanism.\n" + "#\n" + "# <className> must specify the subclass of the Provider class whose\n" + "# constructor sets the values of various properties that are required\n" + "# for the Java Security API to look up the algorithms or other\n" + "# facilities implemented by the provider. This is for providers loaded\n" + "# through classpath.\n" + "#\n" + "# Note: Providers can be dynamically registered instead by calls to\n" + "# either the addProvider or insertProviderAt method in the Security\n" + "# class.\n\n" + "#\n" + "# List of providers and their preference orders (see above):\n" + "#\n" + "security.provider.1=SUN\n" + "security.provider.2=SunRsaSign\n" + "security.provider.3=SunEC\n" + "security.provider.4=SunJSSE\n" + "security.provider.5=SunJCE\n" + "security.provider.6=SunJGSS\n" + "security.provider.7=SunSASL\n" + "security.provider.8=XMLDSig\n" + "security.provider.9=SunPCSC\n" + "security.provider.10=JdkLDAP\n" + "security.provider.11=JdkSASL\n" + "security.provider.12=SunMSCAPI\n" + "security.provider.13=SunPKCS11\n\n" + "#\n" + "# A list of preferred providers for specific algorithms. These providers will\n" + "# be searched for matching algorithms before the list of registered providers.\n" + "# Entries containing errors (parsing, etc) will be ignored. Use the\n" + "# -Djava.security.debug=jca property to debug these errors.\n" + "#\n" + "# The property is a comma-separated list of serviceType.algorithm:provider\n" + "# entries. The serviceType (example: \"MessageDigest\") is optional, and if\n" + "# not specified, the algorithm applies to all service types that support it.\n" + "# The algorithm is the standard algorithm name or transformation.\n" + "# Transformations can be specified in their full standard name\n" + "# (ex: AES/CBC/PKCS5Padding), or as partial matches (ex: AES, AES/CBC).\n" + "# The provider is the name of the provider. Any provider that does not\n" + "# also appear in the registered list will be ignored.\n" + "#\n" + "# There is a special serviceType for this property only to group a set of\n" + "# algorithms together. The type is \"Group\" and is followed by an algorithm\n" + "# keyword. Groups are to simplify and lessen the entries on the property\n" + "# line. Current groups are:\n" + "# Group.SHA2 = SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256\n" + "# Group.HmacSHA2 = HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512\n" + "# Group.SHA2RSA = SHA224withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA\n" + "# Group.SHA2DSA = SHA224withDSA, SHA256withDSA, SHA384withDSA, SHA512withDSA\n" + "# Group.SHA2ECDSA = SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, \\\n" + "# SHA512withECDSA\n" + "# Group.SHA3 = SHA3-224, SHA3-256, SHA3-384, SHA3-512\n" + "# Group.HmacSHA3 = HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512\n" + "#\n" + "# Example:\n" + "# jdk.security.provider.preferred=AES/GCM/NoPadding:SunJCE, \\\n" + "# MessageDigest.SHA-256:SUN, Group.HmacSHA2:SunJCE\n" + "#\n" + "#jdk.security.provider.preferred=\n\n\n" + "#\n" + "# Sun Provider SecureRandom seed source.\n" + "#\n" + "# Select the primary source of seed data for the \"NativePRNG\", \"SHA1PRNG\"\n" + "# and \"DRBG\" SecureRandom implementations in the \"Sun\" provider.\n" + "# (Other SecureRandom implementations might also use this property.)\n" + "#\n" + "# On Unix-like systems (for example, Linux/MacOS), the\n" + "# \"NativePRNG\", \"SHA1PRNG\" and \"DRBG\" implementations obtains seed data from\n" + "# special device files such as file:/dev/random.\n" + "#\n" + "# On Windows systems, specifying the URLs \"file:/dev/random\" or\n" + "# \"file:/dev/urandom\" will enable the native Microsoft CryptoAPI seeding\n" + "# mechanism for SHA1PRNG and DRBG.\n" + "#\n" + "# By default, an attempt is made to use the entropy gathering device\n" + "# specified by the \"securerandom.source\" Security property. If an\n" + "# exception occurs while accessing the specified URL:\n" + "#\n" + "# NativePRNG:\n" + "# a default value of /dev/random will be used. If neither\n" + "# are available, the implementation will be disabled.\n" + "# \"file\" is the only currently supported protocol type.\n" + "#\n" + "# SHA1PRNG and DRBG:\n" + "# the traditional system/thread activity algorithm will be used.\n" + "#\n" + "# The entropy gathering device can also be specified with the System\n" + "# property \"java.security.egd\". For example:\n" + "#\n" + "# % java -Djava.security.egd=file:/dev/random MainClass\n" + "#\n" + "# Specifying this System property will override the\n" + "# \"securerandom.source\" Security property.\n" + "#\n" + "# In addition, if \"file:/dev/random\" or \"file:/dev/urandom\" is\n" + "# specified, the \"NativePRNG\" implementation will be more preferred than\n" + "# DRBG and SHA1PRNG in the Sun provider.\n" + "#\n" + "securerandom.source=file:/dev/random\n\n" + "#\n" + "# A list of known strong SecureRandom implementations.\n" + "#\n" + "# To help guide applications in selecting a suitable strong\n" + "# java.security.SecureRandom implementation, Java distributions should\n" + "# indicate a list of known strong implementations using the property.\n" + "#\n" + "# This is a comma-separated list of algorithm and/or algorithm:provider\n" + "# entries.\n" + "#\n" + "securerandom.strongAlgorithms=Windows-PRNG:SunMSCAPI,DRBG:SUN\n\n" + "#\n" + "# Sun provider DRBG configuration and default instantiation request.\n" + "#\n" + "# NIST SP 800-90Ar1 lists several DRBG mechanisms. Each can be configured\n" + "# with a DRBG algorithm name, and can be instantiated with a security strength,\n" + "# prediction resistance support, etc. This property defines the configuration\n" + "# and the default instantiation request of \"DRBG\" SecureRandom implementations\n" + "# in the SUN provider. (Other DRBG implementations can also use this property.)\n" + "# Applications can request different instantiation parameters like security\n" + "# strength, capability, personalization string using one of the\n" + "# getInstance(...,SecureRandomParameters,...) methods with a\n" + "# DrbgParameters.Instantiation argument, but other settings such as the\n" + "# mechanism and DRBG algorithm names are not currently configurable by any API.\n" + "#\n" + "# Please note that the SUN implementation of DRBG always supports reseeding.\n" + "#\n" + "# The value of this property is a comma-separated list of all configurable\n" + "# aspects. The aspects can appear in any order but the same aspect can only\n" + "# appear at most once. Its BNF-style definition is:\n" + "#\n" + "# Value:\n" + "# aspect { \",\" aspect }\n" + "#\n" + "# aspect:\n" + "# mech_name | algorithm_name | strength | capability | df\n" + "#\n" + "# // The DRBG mechanism to use. Default \"Hash_DRBG\"\n" + "# mech_name:\n" + "# \"Hash_DRBG\" | \"HMAC_DRBG\" | \"CTR_DRBG\"\n" + "#\n" + "# // The DRBG algorithm name. The \"SHA-***\" names are for Hash_DRBG and\n" + "# // HMAC_DRBG, default \"SHA-256\". The \"AES-***\" names are for CTR_DRBG,\n" + "# // default \"AES-128\" when using the limited cryptographic or \"AES-256\"\n" + "# // when using the unlimited.\n" + "# algorithm_name:\n" + "# \"SHA-224\" | \"SHA-512/224\" | \"SHA-256\" |\n" + "# \"SHA-512/256\" | \"SHA-384\" | \"SHA-512\" |\n" + "# \"AES-128\" | \"AES-192\" | \"AES-256\"\n" + "#\n" + "# // Security strength requested. Default \"128\"\n" + "# strength:\n" + "# \"112\" | \"128\" | \"192\" | \"256\"\n" + "#\n" + "# // Prediction resistance and reseeding request. Default \"none\"\n" + "# // \"pr_and_reseed\" - Both prediction resistance and reseeding\n" + "# // support requested\n" + "# // \"reseed_only\" - Only reseeding support requested\n" + "# // \"none\" - Neither prediction resistance not reseeding\n" + "# // support requested\n" + "# pr:\n" + "# \"pr_and_reseed\" | \"reseed_only\" | \"none\"\n" + "#\n" + "# // Whether a derivation function should be used. only applicable\n" + "# // to CTR_DRBG. Default \"use_df\"\n" + "# df:\n" + "# \"use_df\" | \"no_df\"\n" + "#\n" + "# Examples,\n" + "# securerandom.drbg.config=Hash_DRBG,SHA-224,112,none\n" + "# securerandom.drbg.config=CTR_DRBG,AES-256,192,pr_and_reseed,use_df\n" + "#\n" + "# The default value is an empty string, which is equivalent to\n" + "# securerandom.drbg.config=Hash_DRBG,SHA-256,128,none\n" + "#\n" + "securerandom.drbg.config=\n\n" + "#\n" + "# Class to instantiate as the javax.security.auth.login.Configuration\n" + "# provider.\n" + "#\n" + "login.configuration.provider=sun.security.provider.ConfigFile\n\n" + "#\n" + "# Default login configuration file\n" + "#\n" + "#login.config.url.1=file:${user.home}/.java.login.config\n\n" + "#\n" + "# Class to instantiate as the system Policy. This is the name of the class\n" + "# that will be used as the Policy object. The system class loader is used to\n" + "# locate this class.\n" + "#\n" + "policy.provider=sun.security.provider.PolicyFile\n\n" + "# The default is to have a single system-wide policy file,\n" + "# and a policy file in the user's home directory.\n" + "#\n" + "policy.url.1=file:${java.home}/conf/security/java.policy\n" + "policy.url.2=file:${user.home}/.java.policy\n\n" + "# Controls whether or not properties are expanded in policy and login\n" + "# configuration files. If set to false, properties (${...}) will not\n" + "# be expanded in policy and login configuration files. If commented out or\n" + "# set to an empty string, the default value is \"false\" for policy files and\n" + "# \"true\" for login configuration files.\n" + "#\n" + "policy.expandProperties=true\n\n" + "# Controls whether or not an extra policy or login configuration file is\n" + "# allowed to be passed on the command line with -Djava.security.policy=somefile\n" + "# or -Djava.security.auth.login.config=somefile. If commented out or set to\n" + "# an empty string, the default value is \"false\".\n" + "#\n" + "policy.allowSystemProperty=true\n\n" + "# whether or not we look into the IdentityScope for trusted Identities\n" + "# when encountering a 1.1 signed JAR file. If the identity is found\n" + "# and is trusted, we grant it AllPermission. Note: the default policy\n" + "# provider (sun.security.provider.PolicyFile) does not support this property.\n" + "#\n" + "policy.ignoreIdentityScope=false\n\n" + "#\n" + "# Default keystore type.\n" + "#\n" + "keystore.type=pkcs12\n\n" + "#\n" + "# Controls compatibility mode for JKS and PKCS12 keystore types.\n" + "#\n" + "# When set to 'true', both JKS and PKCS12 keystore types support loading\n" + "# keystore files in either JKS or PKCS12 format. When set to 'false' the\n" + "# JKS keystore type supports loading only JKS keystore files and the PKCS12\n" + "# keystore type supports loading only PKCS12 keystore files.\n" + "#\n" + "keystore.type.compat=true\n\n" + "#\n" + "# List of comma-separated packages that start with or equal this string\n" + "# will cause a security exception to be thrown when passed to the\n" + "# SecurityManager::checkPackageAccess method unless the corresponding\n" + "# RuntimePermission(\"accessClassInPackage.\"+package) has been granted.\n" + "#\n" + "package.access=sun.misc.,\\\n" + " sun.reflect.\n\n" + "#\n" + "# List of comma-separated packages that start with or equal this string\n" + "# will cause a security exception to be thrown when passed to the\n" + "# SecurityManager::checkPackageDefinition method unless the corresponding\n" + "# RuntimePermission(\"defineClassInPackage.\"+package) has been granted.\n" + "#\n" + "# By default, none of the class loaders supplied with the JDK call\n" + "# checkPackageDefinition.\n" + "#\n" + "package.definition=sun.misc.,\\\n" + " sun.reflect.\n\n" + "#\n" + "# Determines whether this properties file can be appended to\n" + "# or overridden on the command line via -Djava.security.properties\n" + "#\n" + "security.overridePropertiesFile=true\n\n" + "#\n" + "# Determines the default key and trust manager factory algorithms for\n" + "# the javax.net.ssl package.\n" + "#\n" + "ssl.KeyManagerFactory.algorithm=SunX509\n" + "ssl.TrustManagerFactory.algorithm=PKIX\n\n" + "#\n" + "# The Java-level namelookup cache policy for successful lookups:\n" + "#\n" + "# any negative value: caching forever\n" + "# any positive value: the number of seconds to cache an address for\n" + "# zero: do not cache\n" + "#\n" + "# default value is forever (FOREVER). For security reasons, this\n" + "# caching is made forever when a security manager is set. When a security\n" + "# manager is not set, the default behavior in this implementation\n" + "# is to cache for 30 seconds.\n" + "#\n" + "# NOTE: setting this to anything other than the default value can have\n" + "# serious security implications. Do not set it unless\n" + "# you are sure you are not exposed to DNS spoofing attack.\n" + "#\n" + "#networkaddress.cache.ttl=-1\n\n" + "# The Java-level namelookup cache policy for failed lookups:\n" + "#\n" + "# any negative value: cache forever\n" + "# any positive value: the number of seconds to cache negative lookup results\n" + "# zero: do not cache\n" + "#\n" + "# In some Microsoft Windows networking environments that employ\n" + "# the WINS name service in addition to DNS, name service lookups\n" + "# that fail may take a noticeably long time to return (approx. 5 seconds).\n" + "# For this reason the default caching policy is to maintain these\n" + "# results for 10 seconds.\n" + "#\n" + "networkaddress.cache.negative.ttl=10\n\n" + "#\n" + "# Properties to configure OCSP for certificate revocation checking\n" + "#\n\n" + "# Enable OCSP\n" + "#\n" + "# By default, OCSP is not used for certificate revocation checking.\n" + "# This property enables the use of OCSP when set to the value \"true\".\n" + "#\n" + "# NOTE: SocketPermission is required to connect to an OCSP responder.\n" + "#\n" + "# Example,\n" + "# ocsp.enable=true\n\n" + "#\n" + "# Location of the OCSP responder\n" + "#\n" + "# By default, the location of the OCSP responder is determined implicitly\n" + "# from the certificate being validated. This property explicitly specifies\n" + "# the location of the OCSP responder. The property is used when the\n" + "# Authority Information Access extension (defined in RFC 5280) is absent\n" + "# from the certificate or when it requires overriding.\n" + "#\n" + "# Example,\n" + "# ocsp.responderURL=http://ocsp.example.net:80\n\n" + "#\n" + "# Subject name of the OCSP responder's certificate\n" + "#\n" + "# By default, the certificate of the OCSP responder is that of the issuer\n" + "# of the certificate being validated. This property identifies the certificate\n" + "# of the OCSP responder when the default does not apply. Its value is a string\n" + "# distinguished name (defined in RFC 2253) which identifies a certificate in\n" + "# the set of certificates supplied during cert path validation. In cases where\n" + "# the subject name alone is not sufficient to uniquely identify the certificate\n" + "# then both the \"ocsp.responderCertIssuerName\" and\n" + "# \"ocsp.responderCertSerialNumber\" properties must be used instead. When this\n" + "# property is set then those two properties are ignored.\n" + "#\n" + "# Example,\n" + "# ocsp.responderCertSubjectName=CN=OCSP Responder, O=XYZ Corp\n\n" + "#\n" + "# Issuer name of the OCSP responder's certificate\n" + "#\n" + "# By default, the certificate of the OCSP responder is that of the issuer\n" + "# of the certificate being validated. This property identifies the certificate\n" + "# of the OCSP responder when the default does not apply. Its value is a string\n" + "# distinguished name (defined in RFC 2253) which identifies a certificate in\n" + "# the set of certificates supplied during cert path validation. When this\n" + "# property is set then the \"ocsp.responderCertSerialNumber\" property must also\n" + "# be set. When the \"ocsp.responderCertSubjectName\" property is set then this\n" + "# property is ignored.\n" + "#\n" + "# Example,\n" + "# ocsp.responderCertIssuerName=CN=Enterprise CA, O=XYZ Corp\n\n" + "#\n" + "# Serial number of the OCSP responder's certificate\n" + "#\n" + "# By default, the certificate of the OCSP responder is that of the issuer\n" + "# of the certificate being validated. This property identifies the certificate\n" + "# of the OCSP responder when the default does not apply. Its value is a string\n" + "# of hexadecimal digits (colon or space separators may be present) which\n" + "# identifies a certificate in the set of certificates supplied during cert path\n" + "# validation. When this property is set then the \"ocsp.responderCertIssuerName\"\n" + "# property must also be set. When the \"ocsp.responderCertSubjectName\" property\n" + "# is set then this property is ignored.\n" + "#\n" + "# Example,\n" + "# ocsp.responderCertSerialNumber=2A:FF:00\n\n" + "#\n" + "# Policy for failed Kerberos KDC lookups:\n" + "#\n" + "# When a KDC is unavailable (network error, service failure, etc), it is\n" + "# put inside a secondary list and accessed less often for future requests. The\n" + "# value (case-insensitive) for this policy can be:\n" + "#\n" + "# tryLast\n" + "# KDCs in the secondary list are always tried after those not on the list.\n" + "#\n" + "# tryLess[:max_retries,timeout]\n" + "# KDCs in the secondary list are still tried by their order in the\n" + "# configuration, but with smaller max_retries and timeout values.\n" + "# max_retries and timeout are optional numerical parameters (default 1 and\n" + "# 5000, which means once and 5 seconds). Please note that if any of the\n" + "# values defined here are more than what is defined in krb5.conf, it will be\n" + "# ignored.\n" + "#\n" + "# Whenever a KDC is detected as available, it is removed from the secondary\n" + "# list. The secondary list is reset when krb5.conf is reloaded. You can add\n" + "# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is\n" + "# reloaded whenever a JAAS authentication is attempted.\n" + "#\n" + "# Example,\n" + "# krb5.kdc.bad.policy = tryLast\n" + "# krb5.kdc.bad.policy = tryLess:2,2000\n" + "#\n" + "krb5.kdc.bad.policy = tryLast\n\n" + "#\n" + "# Kerberos cross-realm referrals (RFC 6806)\n" + "#\n" + "# OpenJDK's Kerberos client supports cross-realm referrals as defined in\n" + "# RFC 6806. This allows to setup more dynamic environments in which clients\n" + "# do not need to know in advance how to reach the realm of a target principal\n" + "# (either a user or service).\n" + "#\n" + "# When a client issues an AS or a TGS request, the \"canonicalize\" option\n" + "# is set to announce support of this feature. A KDC server may fulfill the\n" + "# request or reply referring the client to a different one. If referred,\n" + "# the client will issue a new request and the cycle repeats.\n" + "#\n" + "# In addition to referrals, the \"canonicalize\" option allows the KDC server\n" + "# to change the client name in response to an AS request. For security reasons,\n" + "# RFC 6806 (section 11) FAST scheme is enforced.\n" + "#\n" + "# Disable Kerberos cross-realm referrals. Value may be overwritten with a\n" + "# System property (-Dsun.security.krb5.disableReferrals).\n" + "sun.security.krb5.disableReferrals=false\n\n" + "# Maximum number of AS or TGS referrals to avoid infinite loops. Value may\n" + "# be overwritten with a System property (-Dsun.security.krb5.maxReferrals).\n" + "sun.security.krb5.maxReferrals=5\n\n" + "#\n" + "# This property contains a list of disabled EC Named Curves that can be included\n" + "# in the jdk.[tls|certpath|jar].disabledAlgorithms properties. To include this\n" + "# list in any of the disabledAlgorithms properties, add the property name as\n" + "# an entry.\n" + "#jdk.disabled.namedCurves=\n\n" + "#\n" + "# Algorithm restrictions for certification path (CertPath) processing\n" + "#\n" + "# In some environments, certain algorithms or key lengths may be undesirable\n" + "# for certification path building and validation. For example, \"MD2\" is\n" + "# generally no longer considered to be a secure hash algorithm. This section\n" + "# describes the mechanism for disabling algorithms based on algorithm name\n" + "# and/or key length. This includes algorithms used in certificates, as well\n" + "# as revocation information such as CRLs and signed OCSP Responses.\n" + "# The syntax of the disabled algorithm string is described as follows:\n" + "# DisabledAlgorithms:\n" + "# \" DisabledAlgorithm { , DisabledAlgorithm } \"\n" + "#\n" + "# DisabledAlgorithm:\n" + "# AlgorithmName [Constraint] { '&' Constraint } | IncludeProperty\n" + "#\n" + "# AlgorithmName:\n" + "# (see below)\n" + "#\n" + "# Constraint:\n" + "# KeySizeConstraint | CAConstraint | DenyAfterConstraint |\n" + "# UsageConstraint\n" + "#\n" + "# KeySizeConstraint:\n" + "# keySize Operator KeyLength\n" + "#\n" + "# Operator:\n" + "# <= | < | == | != | >= | >\n" + "#\n" + "# KeyLength:\n" + "# Integer value of the algorithm's key length in bits\n" + "#\n" + "# CAConstraint:\n" + "# jdkCA\n" + "#\n" + "# DenyAfterConstraint:\n" + "# denyAfter YYYY-MM-DD\n" + "#\n" + "# UsageConstraint:\n" + "# usage [TLSServer] [TLSClient] [SignedJAR]\n" + "#\n" + "# IncludeProperty:\n" + "# include <security property>\n" + "#\n" + "# The \"AlgorithmName\" is the standard algorithm name of the disabled\n" + "# algorithm. See the Java Security Standard Algorithm Names Specification\n" + "# for information about Standard Algorithm Names. Matching is\n" + "# performed using a case-insensitive sub-element matching rule. (For\n" + "# example, in \"SHA1withECDSA\" the sub-elements are \"SHA1\" for hashing and\n" + "# \"ECDSA\" for signatures.) If the assertion \"AlgorithmName\" is a\n" + "# sub-element of the certificate algorithm name, the algorithm will be\n" + "# rejected during certification path building and validation. For example,\n" + "# the assertion algorithm name \"DSA\" will disable all certificate algorithms\n" + "# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion\n" + "# will not disable algorithms related to \"ECDSA\".\n" + "#\n" + "# The \"IncludeProperty\" allows a implementation-defined security property that\n" + "# can be included in the disabledAlgorithms properties. These properties are\n" + "# to help manage common actions easier across multiple disabledAlgorithm\n" + "# properties.\n" + "# There is one defined security property: jdk.disabled.namedCurves\n" + "# See the property for more specific details.\n" + "#\n" + "#\n" + "# A \"Constraint\" defines restrictions on the keys and/or certificates for\n" + "# a specified AlgorithmName:\n" + "#\n" + "# KeySizeConstraint:\n" + "# keySize Operator KeyLength\n" + "# The constraint requires a key of a valid size range if the\n" + "# \"AlgorithmName\" is of a key algorithm. The \"KeyLength\" indicates\n" + "# the key size specified in number of bits. For example,\n" + "# \"RSA keySize <= 1024\" indicates that any RSA key with key size less\n" + "# than or equal to 1024 bits should be disabled, and\n" + "# \"RSA keySize < 1024, RSA keySize > 2048\" indicates that any RSA key\n" + "# with key size less than 1024 or greater than 2048 should be disabled.\n" + "# This constraint is only used on algorithms that have a key size.\n" + "#\n" + "# CAConstraint:\n" + "# jdkCA\n" + "# This constraint prohibits the specified algorithm only if the\n" + "# algorithm is used in a certificate chain that terminates at a marked\n" + "# trust anchor in the lib/security/cacerts keystore. If the jdkCA\n" + "# constraint is not set, then all chains using the specified algorithm\n" + "# are restricted. jdkCA may only be used once in a DisabledAlgorithm\n" + "# expression.\n" + "# Example: To apply this constraint to SHA-1 certificates, include\n" + "# the following: \"SHA1 jdkCA\"\n" + "#\n" + "# DenyAfterConstraint:\n" + "# denyAfter YYYY-MM-DD\n" + "# This constraint prohibits a certificate with the specified algorithm\n" + "# from being used after the date regardless of the certificate's\n" + "# validity. JAR files that are signed and timestamped before the\n" + "# constraint date with certificates containing the disabled algorithm\n" + "# will not be restricted. The date is processed in the UTC timezone.\n" + "# This constraint can only be used once in a DisabledAlgorithm\n" + "# expression.\n" + "# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,\n" + "# use the following: \"RSA keySize == 2048 & denyAfter 2020-02-03\"\n" + "#\n" + "# UsageConstraint:\n" + "# usage [TLSServer] [TLSClient] [SignedJAR]\n" + "# This constraint prohibits the specified algorithm for\n" + "# a specified usage. This should be used when disabling an algorithm\n" + "# for all usages is not practical. 'TLSServer' restricts the algorithm\n" + "# in TLS server certificate chains when server authentication is\n" + "# performed. 'TLSClient' restricts the algorithm in TLS client\n" + "# certificate chains when client authentication is performed.\n" + "# 'SignedJAR' constrains use of certificates in signed jar files.\n" + "# The usage type follows the keyword and more than one usage type can\n" + "# be specified with a whitespace delimiter.\n" + "# Example: \"SHA1 usage TLSServer TLSClient\"\n" + "#\n" + "# When an algorithm must satisfy more than one constraint, it must be\n" + "# delimited by an ampersand '&'. For example, to restrict certificates in a\n" + "# chain that terminate at a distribution provided trust anchor and contain\n" + "# RSA keys that are less than or equal to 1024 bits, add the following\n" + "# constraint: \"RSA keySize <= 1024 & jdkCA\".\n" + "#\n" + "# All DisabledAlgorithms expressions are processed in the order defined in the\n" + "# property. This requires lower keysize constraints to be specified\n" + "# before larger keysize constraints of the same algorithm. For example:\n" + "# \"RSA keySize < 1024 & jdkCA, RSA keySize < 2048\".\n" + "#\n" + "# Note: The algorithm restrictions do not apply to trust anchors or\n" + "# self-signed certificates.\n" + "#\n" + "# Note: This property is currently used by Oracle's PKIX implementation. It\n" + "# is not guaranteed to be examined and used by other implementations.\n" + "#\n" + "# Example:\n" + "# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048\n" + "#\n" + "#\n" + "jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \\\n" + " RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \\\n" + " SHA1 usage SignedJAR & denyAfter 2019-01-01\n\n" + "#\n" + "# Legacy algorithms for certification path (CertPath) processing and\n" + "# signed JAR files.\n" + "#\n" + "# In some environments, a certain algorithm or key length may be undesirable\n" + "# but is not yet disabled.\n" + "#\n" + "# Tools such as keytool and jarsigner may emit warnings when these legacy\n" + "# algorithms are used. See the man pages for those tools for more information.\n" + "#\n" + "# The syntax is the same as the \"jdk.certpath.disabledAlgorithms\" and\n" + "# \"jdk.jar.disabledAlgorithms\" security properties.\n" + "#\n" + "# Note: This property is currently used by the JDK Reference\n" + "# implementation. It is not guaranteed to be examined and used by other\n" + "# implementations.\n\n" + "jdk.security.legacyAlgorithms=SHA1, \\\n" + " RSA keySize < 2048, DSA keySize < 2048\n\n" + "#\n" + "# Algorithm restrictions for signed JAR files\n" + "#\n" + "# In some environments, certain algorithms or key lengths may be undesirable\n" + "# for signed JAR validation. For example, \"MD2\" is generally no longer\n" + "# considered to be a secure hash algorithm. This section describes the\n" + "# mechanism for disabling algorithms based on algorithm name and/or key length.\n" + "# JARs signed with any of the disabled algorithms or key sizes will be treated\n" + "# as unsigned.\n" + "#\n" + "# The syntax of the disabled algorithm string is described as follows:\n" + "# DisabledAlgorithms:\n" + "# \" DisabledAlgorithm { , DisabledAlgorithm } \"\n" + "#\n" + "# DisabledAlgorithm:\n" + "# AlgorithmName [Constraint] { '&' Constraint }\n" + "#\n" + "# AlgorithmName:\n" + "# (see below)\n" + "#\n" + "# Constraint:\n" + "# KeySizeConstraint | DenyAfterConstraint\n" + "#\n" + "# KeySizeConstraint:\n" + "# keySize Operator KeyLength\n" + "#\n" + "# DenyAfterConstraint:\n" + "# denyAfter YYYY-MM-DD\n" + "#\n" + "# Operator:\n" + "# <= | < | == | != | >= | >\n" + "#\n" + "# KeyLength:\n" + "# Integer value of the algorithm's key length in bits\n" + "#\n" + "# Note: This property is currently used by the JDK Reference\n" + "# implementation. It is not guaranteed to be examined and used by other\n" + "# implementations.\n" + "#\n" + "# See \"jdk.certpath.disabledAlgorithms\" for syntax descriptions.\n" + "#\n" + "jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \\\n" + " DSA keySize < 1024, SHA1 denyAfter 2019-01-01\n\n" + "#\n" + "# Algorithm restrictions for Secure Socket Layer/Transport Layer Security\n" + "# (SSL/TLS/DTLS) processing\n" + "#\n" + "# In some environments, certain algorithms or key lengths may be undesirable\n" + "# when using SSL/TLS/DTLS. This section describes the mechanism for disabling\n" + "# algorithms during SSL/TLS/DTLS security parameters negotiation, including\n" + "# protocol version negotiation, cipher suites selection, named groups\n" + "# selection, signature schemes selection, peer authentication and key\n" + "# exchange mechanisms.\n" + "#\n" + "# Disabled algorithms will not be negotiated for SSL/TLS connections, even\n" + "# if they are enabled explicitly in an application.\n" + "#\n" + "# For PKI-based peer authentication and key exchange mechanisms, this list\n" + "# of disabled algorithms will also be checked during certification path\n" + "# building and validation, including algorithms used in certificates, as\n" + "# well as revocation information such as CRLs and signed OCSP Responses.\n" + "# This is in addition to the jdk.certpath.disabledAlgorithms property above.\n" + "#\n" + "# See the specification of \"jdk.certpath.disabledAlgorithms\" for the\n" + "# syntax of the disabled algorithm string.\n" + "#\n" + "# Note: The algorithm restrictions do not apply to trust anchors or\n" + "# self-signed certificates.\n" + "#\n" + "# Note: This property is currently used by the JDK Reference implementation.\n" + "# It is not guaranteed to be examined and used by other implementations.\n" + "#\n" + "# Example:\n" + "# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \\\n" + "# rsa_pkcs1_sha1, secp224r1\n" + "jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \\\n" + " DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL\n\n" + "#\n" + "# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)\n" + "# processing in JSSE implementation.\n" + "#\n" + "# In some environments, a certain algorithm may be undesirable but it\n" + "# cannot be disabled because of its use in legacy applications. Legacy\n" + "# algorithms may still be supported, but applications should not use them\n" + "# as the security strength of legacy algorithms are usually not strong enough\n" + "# in practice.\n" + "#\n" + "# During SSL/TLS security parameters negotiation, legacy algorithms will\n" + "# not be negotiated unless there are no other candidates.\n" + "#\n" + "# The syntax of the legacy algorithms string is described as this Java\n" + "# BNF-style:\n" + "# LegacyAlgorithms:\n" + "# \" LegacyAlgorithm { , LegacyAlgorithm } \"\n" + "#\n" + "# LegacyAlgorithm:\n" + "# AlgorithmName (standard JSSE algorithm name)\n" + "#\n" + "# See the specification of security property \"jdk.certpath.disabledAlgorithms\"\n" + "# for the syntax and description of the \"AlgorithmName\" notation.\n" + "#\n" + "# Per SSL/TLS specifications, cipher suites have the form:\n" + "# SSL_KeyExchangeAlg_WITH_CipherAlg_MacAlg\n" + "# or\n" + "# TLS_KeyExchangeAlg_WITH_CipherAlg_MacAlg\n" + "#\n" + "# For example, the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA uses RSA as the\n" + "# key exchange algorithm, AES_128_CBC (128 bits AES cipher algorithm in CBC\n" + "# mode) as the cipher (encryption) algorithm, and SHA-1 as the message digest\n" + "# algorithm for HMAC.\n" + "#\n" + "# The LegacyAlgorithm can be one of the following standard algorithm names:\n" + "# 1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA\n" + "# 2. JSSE key exchange algorithm name, e.g., RSA\n" + "# 3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC\n" + "# 4. JSSE message digest algorithm name, e.g., SHA\n" + "#\n" + "# See SSL/TLS specifications and the Java Security Standard Algorithm Names\n" + "# Specification for information about the algorithm names.\n" + "#\n" + "# Note: If a legacy algorithm is also restricted through the\n" + "# jdk.tls.disabledAlgorithms property or the\n" + "# java.security.AlgorithmConstraints API (See\n" + "# javax.net.ssl.SSLParameters.setAlgorithmConstraints()),\n" + "# then the algorithm is completely disabled and will not be negotiated.\n" + "#\n" + "# Note: This property is currently used by the JDK Reference implementation.\n" + "# It is not guaranteed to be examined and used by other implementations.\n" + "# There is no guarantee the property will continue to exist or be of the\n" + "# same syntax in future releases.\n" + "#\n" + "# Example:\n" + "# jdk.tls.legacyAlgorithms=DH_anon, DES_CBC, SSL_RSA_WITH_RC4_128_MD5\n" + "#\n" + "jdk.tls.legacyAlgorithms=NULL, anon, RC4, DES, 3DES_EDE_CBC\n\n" + "#\n" + "# The pre-defined default finite field Diffie-Hellman ephemeral (DHE)\n" + "# parameters for Transport Layer Security (SSL/TLS/DTLS) processing.\n" + "#\n" + "# In traditional SSL/TLS/DTLS connections where finite field DHE parameters\n" + "# negotiation mechanism is not used, the server offers the client group\n" + "# parameters, base generator g and prime modulus p, for DHE key exchange.\n" + "# It is recommended to use dynamic group parameters. This property defines\n" + "# a mechanism that allows you to specify custom group parameters.\n" + "#\n" + "# The syntax of this property string is described as this Java BNF-style:\n" + "# DefaultDHEParameters:\n" + "# DefinedDHEParameters { , DefinedDHEParameters }\n" + "#\n" + "# DefinedDHEParameters:\n" + "# \"{\" DHEPrimeModulus , DHEBaseGenerator \"}\"\n" + "#\n" + "# DHEPrimeModulus:\n" + "# HexadecimalDigits\n" + "#\n" + "# DHEBaseGenerator:\n" + "# HexadecimalDigits\n" + "#\n" + "# HexadecimalDigits:\n" + "# HexadecimalDigit { HexadecimalDigit }\n" + "#\n" + "# HexadecimalDigit: one of\n" + "# 0 1 2 3 4 5 6 7 8 9 A B C D E F a b c d e f\n" + "#\n" + "# Whitespace characters are ignored.\n" + "#\n" + "# The \"DefinedDHEParameters\" defines the custom group parameters, prime\n" + "# modulus p and base generator g, for a particular size of prime modulus p.\n" + "# The \"DHEPrimeModulus\" defines the hexadecimal prime modulus p, and the\n" + "# \"DHEBaseGenerator\" defines the hexadecimal base generator g of a group\n" + "# parameter. It is recommended to use safe primes for the custom group\n" + "# parameters.\n" + "#\n" + "# If this property is not defined or the value is empty, the underlying JSSE\n" + "# provider's default group parameter is used for each connection.\n" + "#\n" + "# If the property value does not follow the grammar, or a particular group\n" + "# parameter is not valid, the connection will fall back and use the\n" + "# underlying JSSE provider's default group parameter.\n" + "#\n" + "# Note: This property is currently used by OpenJDK's JSSE implementation. It\n" + "# is not guaranteed to be examined and used by other implementations.\n" + "#\n" + "# Example:\n" + "# jdk.tls.server.defaultDHEParameters=\n" + "# { \\\n" + "# FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \\\n" + "# 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \\\n" + "# EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \\\n" + "# E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \\\n" + "# EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \\\n" + "# FFFFFFFF FFFFFFFF, 2}\n\n" + "#\n" + "# TLS key limits on symmetric cryptographic algorithms\n" + "#\n" + "# This security property sets limits on algorithms key usage in TLS 1.3.\n" + "# When the amount of data encrypted exceeds the algorithm value listed below,\n" + "# a KeyUpdate message will trigger a key change. This is for symmetric ciphers\n" + "# with TLS 1.3 only.\n" + "#\n" + "# The syntax for the property is described below:\n" + "# KeyLimits:\n" + "# \" KeyLimit { , KeyLimit } \"\n" + "#\n" + "# WeakKeyLimit:\n" + "# AlgorithmName Action Length\n" + "#\n" + "# AlgorithmName:\n" + "# A full algorithm transformation.\n" + "#\n" + "# Action:\n" + "# KeyUpdate\n" + "#\n" + "# Length:\n" + "# The amount of encrypted data in a session before the Action occurs\n" + "# This value may be an integer value in bytes, or as a power of two, 2^29.\n" + "#\n" + "# KeyUpdate:\n" + "# The TLS 1.3 KeyUpdate handshake process begins when the Length amount\n" + "# is fulfilled.\n" + "#\n" + "# Note: This property is currently used by OpenJDK's JSSE implementation. It\n" + "# is not guaranteed to be examined and used by other implementations.\n" + "#\n" + "jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37, \\\n" + " ChaCha20-Poly1305 KeyUpdate 2^37\n\n" + "#\n" + "# Cryptographic Jurisdiction Policy defaults\n" + "#\n" + "# Import and export control rules on cryptographic software vary from\n" + "# country to country. By default, Java provides two different sets of\n" + "# cryptographic policy files[1]:\n" + "#\n" + "# unlimited: These policy files contain no restrictions on cryptographic\n" + "# strengths or algorithms\n" + "#\n" + "# limited: These policy files contain more restricted cryptographic\n" + "# strengths\n" + "#\n" + "# The default setting is determined by the value of the \"crypto.policy\"\n" + "# Security property below. If your country or usage requires the\n" + "# traditional restrictive policy, the \"limited\" Java cryptographic\n" + "# policy is still available and may be appropriate for your environment.\n" + "#\n" + "# If you have restrictions that do not fit either use case mentioned\n" + "# above, Java provides the capability to customize these policy files.\n" + "# The \"crypto.policy\" security property points to a subdirectory\n" + "# within <java-home>/conf/security/policy/ which can be customized.\n" + "# Please see the <java-home>/conf/security/policy/README.txt file or consult\n" + "# the Java Security Guide/JCA documentation for more information.\n" + "#\n" + "# YOU ARE ADVISED TO CONSULT YOUR EXPORT/IMPORT CONTROL COUNSEL OR ATTORNEY\n" + "# TO DETERMINE THE EXACT REQUIREMENTS.\n" + "#\n" + "# [1] Please note that the JCE for Java SE, including the JCE framework,\n" + "# cryptographic policy files, and standard JCE providers provided with\n" + "# the Java SE, have been reviewed and approved for export as mass market\n" + "# encryption item by the US Bureau of Industry and Security.\n" + "#\n" + "# Note: This property is currently used by the JDK Reference implementation.\n" + "# It is not guaranteed to be examined and used by other implementations.\n" + "#\n" + "crypto.policy=unlimited\n\n" + "#\n" + "# The policy for the XML Signature secure validation mode. Validation of\n" + "# XML Signatures that violate any of these constraints will fail. The\n" + "# mode is enforced by default. The mode can be disabled by setting the\n" + "# property \"org.jcp.xml.dsig.secureValidation\" to Boolean.FALSE with the\n" + "# javax.xml.crypto.XMLCryptoContext.setProperty() method.\n" + "#\n" + "# Policy:\n" + "# Constraint {\",\" Constraint }\n" + "# Constraint:\n" + "# AlgConstraint | MaxTransformsConstraint | MaxReferencesConstraint |\n" + "# ReferenceUriSchemeConstraint | KeySizeConstraint | OtherConstraint\n" + "# AlgConstraint\n" + "# \"disallowAlg\" Uri\n" + "# MaxTransformsConstraint:\n" + "# \"maxTransforms\" Integer\n" + "# MaxReferencesConstraint:\n" + "# \"maxReferences\" Integer\n" + "# ReferenceUriSchemeConstraint:\n" + "# \"disallowReferenceUriSchemes\" String { String }\n" + "# KeySizeConstraint:\n" + "# \"minKeySize\" KeyAlg Integer\n" + "# OtherConstraint:\n" + "# \"noDuplicateIds\" | \"noRetrievalMethodLoops\"\n" + "#\n" + "# For AlgConstraint, Uri is the algorithm URI String that is not allowed.\n" + "# See the XML Signature Recommendation for more information on algorithm\n" + "# URI Identifiers. For KeySizeConstraint, KeyAlg is the standard algorithm\n" + "# name of the key type (ex: \"RSA\"). If the MaxTransformsConstraint,\n" + "# MaxReferencesConstraint or KeySizeConstraint (for the same key type) is\n" + "# specified more than once, only the last entry is enforced.\n" + "#\n" + "# Note: This property is currently used by the JDK Reference implementation.\n" + "# It is not guaranteed to be examined and used by other implementations.\n" + "#\n" + "jdk.xml.dsig.secureValidationPolicy=\\\n" + " disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\\\n" + " disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\\\n" + " disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\\\n" + " disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\\\n" + " disallowAlg http://www.w3.org/2000/09/xmldsig#sha1,\\\n" + " disallowAlg http://www.w3.org/2000/09/xmldsig#dsa-sha1,\\\n" + " disallowAlg http://www.w3.org/2000/09/xmldsig#rsa-sha1,\\\n" + " disallowAlg http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1,\\\n" + " disallowAlg http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1,\\\n" + " maxTransforms 5,\\\n" + " maxReferences 30,\\\n" + " disallowReferenceUriSchemes file http https,\\\n" + " minKeySize RSA 1024,\\\n" + " minKeySize DSA 1024,\\\n" + " minKeySize EC 224,\\\n" + " noDuplicateIds,\\\n" + " noRetrievalMethodLoops\n\n\n" + "#\n" + "# Deserialization JVM-wide filter factory\n" + "#\n" + "# A filter factory class name is used to configure the JVM-wide filter factory.\n" + "# The class must be public, must have a public zero-argument constructor, implement the\n" + "# java.util.function.BinaryOperator<java.io.ObjectInputFilter> interface, provide its\n" + "# implementation and be accessible via the application class loader.\n" + "# A builtin filter factory is used if no filter factory is defined.\n" + "# See java.io.ObjectInputFilter.Config for more information.\n" + "#\n" + "# If the system property jdk.serialFilterFactory is also specified, it supersedes\n" + "# the security property value defined here.\n" + "#\n" + "#jdk.serialFilterFactory=<classname>\n\n" + "#\n" + "# Deserialization JVM-wide filter\n" + "#\n" + "# A filter, if configured, is used by the filter factory to provide the filter used by\n" + "# java.io.ObjectInputStream during deserialization to check the contents of the stream.\n" + "# A filter is configured as a sequence of patterns, each pattern is either\n" + "# matched against the name of a class in the stream or defines a limit.\n" + "# Patterns are separated by \";\" (semicolon).\n" + "# Whitespace is significant and is considered part of the pattern.\n" + "#\n" + "# If the system property jdk.serialFilter is also specified, it supersedes\n" + "# the security property value defined here.\n" + "#\n" + "# If a pattern includes a \"=\", it sets a limit.\n" + "# If a limit appears more than once the last value is used.\n" + "# Limits are checked before classes regardless of the order in the\n" + "# sequence of patterns.\n" + "# If any of the limits are exceeded, the filter status is REJECTED.\n" + "#\n" + "# maxdepth=value - the maximum depth of a graph\n" + "# maxrefs=value - the maximum number of internal references\n" + "# maxbytes=value - the maximum number of bytes in the input stream\n" + "# maxarray=value - the maximum array length allowed\n" + "#\n" + "# Other patterns, from left to right, match the class or package name as\n" + "# returned from Class.getName.\n" + "# If the class is an array type, the class or package to be matched is the\n" + "# element type.\n" + "# Arrays of any number of dimensions are treated the same as the element type.\n" + "# For example, a pattern of \"!example.Foo\", rejects creation of any instance or\n" + "# array of example.Foo.\n" + "#\n" + "# If the pattern starts with \"!\", the status is REJECTED if the remaining\n" + "# pattern is matched; otherwise the status is ALLOWED if the pattern matches.\n" + "# If the pattern contains \"/\", the non-empty prefix up to the \"/\" is the\n" + "# module name;\n" + "# if the module name matches the module name of the class then\n" + "# the remaining pattern is matched with the class name.\n" + "# If there is no \"/\", the module name is not compared.\n" + "# If the pattern ends with \".**\" it matches any class in the package and all\n" + "# subpackages.\n" + "# If the pattern ends with \".*\" it matches any class in the package.\n" + "# If the pattern ends with \"*\", it matches any class with the pattern as a\n" + "# prefix.\n" + "# If the pattern is equal to the class name, it matches.\n" + "# Otherwise, the status is UNDECIDED.\n" + "#\n" + "#jdk.serialFilter=pattern;pattern\n\n" + "#\n" + "# RMI Registry Serial Filter\n" + "#\n" + "# The filter pattern uses the same format as jdk.serialFilter.\n" + "# This filter can override the builtin filter if additional types need to be\n" + "# allowed or rejected from the RMI Registry or to decrease limits but not\n" + "# to increase limits.\n" + "# If the limits (maxdepth, maxrefs, or maxbytes) are exceeded, the object is rejected.\n" + "#\n" + "# Each non-array type is allowed or rejected if it matches one of the patterns,\n" + "# evaluated from left to right, and is otherwise allowed. Arrays of any\n" + "# component type, including subarrays and arrays of primitives, are allowed.\n" + "#\n" + "# Array construction of any component type, including subarrays and arrays of\n" + "# primitives, are allowed unless the length is greater than the maxarray limit.\n" + "# The filter is applied to each array element.\n" + "#\n" + "# Note: This property is currently used by the JDK Reference implementation.\n" + "# It is not guaranteed to be examined and used by other implementations.\n" + "#\n" + "# The built-in filter allows subclasses of allowed classes and\n" + "# can approximately be represented as the pattern:\n" + "#\n" + "#sun.rmi.registry.registryFilter=\\\n" + "# maxarray=1000000;\\\n" + "# maxdepth=20;\\\n" + "# java.lang.String;\\\n" + "# java.lang.Number;\\\n" + "# java.lang.reflect.Proxy;\\\n" + "# java.rmi.Remote;\\\n" + "# sun.rmi.server.UnicastRef;\\\n" + "# sun.rmi.server.RMIClientSocketFactory;\\\n" + "# sun.rmi.server.RMIServerSocketFactory;\\\n" + "# java.rmi.server.UID\n" + "#\n" + "# RMI Distributed Garbage Collector (DGC) Serial Filter\n" + "#\n" + "# The filter pattern uses the same format as jdk.serialFilter.\n" + "# This filter can override the builtin filter if additional types need to be\n" + "# allowed or rejected from the RMI DGC.\n" + "#\n" + "# Note: This property is currently used by the JDK Reference implementation.\n" + "# It is not guaranteed to be examined and used by other implementations.\n" + "#\n" + "# The builtin DGC filter can approximately be represented as the filter pattern:\n" + "#\n" + "#sun.rmi.transport.dgcFilter=\\\n" + "# java.rmi.server.ObjID;\\\n" + "# java.rmi.server.UID;\\\n" + "# java.rmi.dgc.VMID;\\\n" + "# java.rmi.dgc.Lease;\\\n" + "# maxdepth=5;maxarray=10000\n\n" + "#\n" + "# JCEKS Encrypted Key Serial Filter\n" + "#\n" + "# This filter, if configured, is used by the JCEKS KeyStore during the\n" + "# deserialization of the encrypted Key object stored inside a key entry.\n" + "# If not configured or the filter result is UNDECIDED (i.e. none of the patterns\n" + "# matches), the filter configured by jdk.serialFilter will be consulted.\n" + "#\n" + "# If the system property jceks.key.serialFilter is also specified, it supersedes\n" + "# the security property value defined here.\n" + "#\n" + "# The filter pattern uses the same format as jdk.serialFilter. The default\n" + "# pattern allows java.lang.Enum, java.security.KeyRep, java.security.KeyRep$Type,\n" + "# and javax.crypto.spec.SecretKeySpec and rejects all the others.\n" + "jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep;\\\n" + " java.base/java.security.KeyRep$Type;java.base/javax.crypto.spec.SecretKeySpec;!*\n\n" + "# The iteration count used for password-based encryption (PBE) in JCEKS\n" + "# keystores. Values in the range 10000 to 5000000 are considered valid.\n" + "# If the value is out of this range, or is not a number, or is unspecified;\n" + "# a default of 200000 is used.\n" + "#\n" + "# If the system property jdk.jceks.iterationCount is also specified, it\n" + "# supersedes the security property value defined here.\n" + "#\n" + "#jdk.jceks.iterationCount = 200000\n\n" + "#\n" + "# PKCS12 KeyStore properties\n" + "#\n" + "# The following properties, if configured, are used by the PKCS12 KeyStore\n" + "# implementation during the creation of a new keystore. Several of the\n" + "# properties may also be used when modifying an existing keystore. The\n" + "# properties can be overridden by a KeyStore API that specifies its own\n" + "# algorithms and parameters.\n" + "#\n" + "# If an existing PKCS12 keystore is loaded and then stored, the algorithm and\n" + "# parameter used to generate the existing Mac will be reused. If the existing\n" + "# keystore does not have a Mac, no Mac will be created while storing. If there\n" + "# is at least one certificate in the existing keystore, the algorithm and\n" + "# parameters used to encrypt the last certificate in the existing keystore will\n" + "# be reused to encrypt all certificates while storing. If the last certificate\n" + "# in the existing keystore is not encrypted, all certificates will be stored\n" + "# unencrypted. If there is no certificate in the existing keystore, any newly\n" + "# added certificate will be encrypted (or stored unencrypted if algorithm\n" + "# value is \"NONE\") using the \"keystore.pkcs12.certProtectionAlgorithm\" and\n" + "# \"keystore.pkcs12.certPbeIterationCount\" values defined here. Existing private\n" + "# and secret key(s) are not changed. Newly set private and secret key(s) will\n" + "# be encrypted using the \"keystore.pkcs12.keyProtectionAlgorithm\" and\n" + "# \"keystore.pkcs12.keyPbeIterationCount\" values defined here.\n" + "#\n" + "# In order to apply new algorithms and parameters to all entries in an\n" + "# existing keystore, one can create a new keystore and add entries in the\n" + "# existing keystore into the new keystore. This can be achieved by calling the\n" + "# \"keytool -importkeystore\" command.\n" + "#\n" + "# If a system property of the same name is also specified, it supersedes the\n" + "# security property value defined here.\n" + "#\n" + "# If the property is set to an illegal value,\n" + "# an iteration count that is not a positive integer, or an unknown algorithm\n" + "# name, an exception will be thrown when the property is used.\n" + "# If the property is not set or empty, a default value will be used.\n" + "#\n" + "# Note: These properties are currently used by the JDK Reference implementation.\n" + "# They are not guaranteed to be examined and used by other implementations.\n\n" + "# The algorithm used to encrypt a certificate. This can be any non-Hmac PBE\n" + "# algorithm defined in the Cipher section of the Java Security Standard\n" + "# Algorithm Names Specification. When set to \"NONE\", the certificate\n" + "# is not encrypted. The default value is \"PBEWithHmacSHA256AndAES_256\".\n" + "#keystore.pkcs12.certProtectionAlgorithm = PBEWithHmacSHA256AndAES_256\n\n" + "# The iteration count used by the PBE algorithm when encrypting a certificate.\n" + "# This value must be a positive integer. The default value is 10000.\n" + "#keystore.pkcs12.certPbeIterationCount = 10000\n\n" + "# The algorithm used to encrypt a private key or secret key. This can be\n" + "# any non-Hmac PBE algorithm defined in the Cipher section of the Java\n" + "# Security Standard Algorithm Names Specification. The value must not be \"NONE\".\n" + "# The default value is \"PBEWithHmacSHA256AndAES_256\".\n" + "#keystore.pkcs12.keyProtectionAlgorithm = PBEWithHmacSHA256AndAES_256\n\n" + "# The iteration count used by the PBE algorithm when encrypting a private key\n" + "# or a secret key. This value must be a positive integer. The default value\n" + "# is 10000.\n" + "#keystore.pkcs12.keyPbeIterationCount = 10000\n\n" + "# The algorithm used to calculate the optional MacData at the end of a PKCS12\n" + "# file. This can be any HmacPBE algorithm defined in the Mac section of the\n" + "# Java Security Standard Algorithm Names Specification. When set to \"NONE\",\n" + "# no Mac is generated. The default value is \"HmacPBESHA256\".\n" + "#keystore.pkcs12.macAlgorithm = HmacPBESHA256\n\n" + "# The iteration count used by the MacData algorithm. This value must be a\n" + "# positive integer. The default value is 10000.\n" + "#keystore.pkcs12.macIterationCount = 10000\n\n" + "#\n" + "# Enhanced exception message information\n" + "#\n" + "# By default, exception messages should not include potentially sensitive\n" + "# information such as file names, host names, or port numbers. This property\n" + "# accepts one or more comma separated values, each of which represents a\n" + "# category of enhanced exception message information to enable. Values are\n" + "# case-insensitive. Leading and trailing whitespaces, surrounding each value,\n" + "# are ignored. Unknown values are ignored.\n" + "#\n" + "# NOTE: Use caution before setting this property. Setting this property\n" + "# exposes sensitive information in Exceptions, which could, for example,\n" + "# propagate to untrusted code or be emitted in stack traces that are\n" + "# inadvertently disclosed and made accessible over a public network.\n" + "#\n" + "# The categories are:\n" + "#\n" + "# hostInfo - IOExceptions thrown by java.net.Socket and the socket types in the\n" + "# java.nio.channels package will contain enhanced exception\n" + "# message information\n" + "#\n" + "# jar - enables more detailed information in the IOExceptions thrown\n" + "# by classes in the java.util.jar package\n" + "#\n" + "# The property setting in this file can be overridden by a system property of\n" + "# the same name, with the same syntax and possible values.\n" + "#\n" + "#jdk.includeInExceptions=hostInfo,jar\n\n" + "#\n" + "# Disabled mechanisms for the Simple Authentication and Security Layer (SASL)\n" + "#\n" + "# Disabled mechanisms will not be negotiated by both SASL clients and servers.\n" + "# These mechanisms will be ignored if they are specified in the \"mechanisms\"\n" + "# argument of \"Sasl.createSaslClient\" or the \"mechanism\" argument of\n" + "# \"Sasl.createSaslServer\".\n" + "#\n" + "# The value of this property is a comma-separated list of SASL mechanisms.\n" + "# The mechanisms are case-sensitive. Whitespaces around the commas are ignored.\n" + "#\n" + "# Note: This property is currently used by the JDK Reference implementation.\n" + "# It is not guaranteed to be examined and used by other implementations.\n" + "#\n" + "# Example:\n" + "# jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5\n" + "jdk.sasl.disabledMechanisms=\n\n" + "#\n" + "# Policies for distrusting Certificate Authorities (CAs).\n" + "#\n" + "# This is a comma separated value of one or more case-sensitive strings, each\n" + "# of which represents a policy for determining if a CA should be distrusted.\n" + "# The supported values are:\n" + "#\n" + "# SYMANTEC_TLS : Distrust TLS Server certificates anchored by a Symantec\n" + "# root CA and issued after April 16, 2019 unless issued by one of the\n" + "# following subordinate CAs which have a later distrust date:\n" + "# 1. Apple IST CA 2 - G1, SHA-256 fingerprint:\n" + "# AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B\n" + "# Distrust after December 31, 2019.\n" + "# 2. Apple IST CA 8 - G1, SHA-256 fingerprint:\n" + "# A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED\n" + "# Distrust after December 31, 2019.\n" + "#\n" + "# Leading and trailing whitespace surrounding each value are ignored.\n" + "# Unknown values are ignored. If the property is commented out or set to the\n" + "# empty String, no policies are enforced.\n" + "#\n" + "# Note: This property is currently used by the JDK Reference implementation.\n" + "# It is not guaranteed to be supported by other SE implementations. Also, this\n" + "# property does not override other security properties which can restrict\n" + "# certificates such as jdk.tls.disabledAlgorithms or\n" + "# jdk.certpath.disabledAlgorithms; those restrictions are still enforced even\n" + "# if this property is not enabled.\n" + "#\n" + "jdk.security.caDistrustPolicies=SYMANTEC_TLS\n\n" + "#\n" + "# FilePermission path canonicalization\n" + "#\n" + "# This security property dictates how the path argument is processed and stored\n" + "# while constructing a FilePermission object. If the value is set to true, the\n" + "# path argument is canonicalized and FilePermission methods (such as implies,\n" + "# equals, and hashCode) are implemented based on this canonicalized result.\n" + "# Otherwise, the path argument is not canonicalized and FilePermission methods are\n" + "# implemented based on the original input. See the implementation note of the\n" + "# FilePermission class for more details.\n" + "#\n" + "# If a system property of the same name is also specified, it supersedes the\n" + "# security property value defined here.\n" + "#\n" + "# The default value for this property is false.\n" + "#\n" + "jdk.io.permissionsUseCanonicalPath=false\n\n\n" + "#\n" + "# Policies for the proxy_impersonator Kerberos ccache configuration entry\n" + "#\n" + "# The proxy_impersonator ccache configuration entry indicates that the ccache\n" + "# is a synthetic delegated credential for use with S4U2Proxy by an intermediate\n" + "# server. The ccache file should also contain the TGT of this server and\n" + "# an evidence ticket from the default principal of the ccache to this server.\n" + "#\n" + "# This security property determines how Java uses this configuration entry.\n" + "# There are 3 possible values:\n" + "#\n" + "# no-impersonate - Ignore this configuration entry, and always act as\n" + "# the owner of the TGT (if it exists).\n" + "#\n" + "# try-impersonate - Try impersonation when this configuration entry exists.\n" + "# If no matching TGT or evidence ticket is found,\n" + "# fallback to no-impersonate.\n" + "#\n" + "# always-impersonate - Always impersonate when this configuration entry exists.\n" + "# If no matching TGT or evidence ticket is found,\n" + "# no initial credential is read from the ccache.\n" + "#\n" + "# The default value is \"always-impersonate\".\n" + "#\n" + "# If a system property of the same name is also specified, it supersedes the\n" + "# security property value defined here.\n" + "#\n" + "#jdk.security.krb5.default.initiate.credential=always-impersonate\n\n" + "#\n" + "# Trust Anchor Certificates - CA Basic Constraint check\n" + "#\n" + "# X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS\n" + "# connections) must have the cA Basic Constraint field set to 'true'. Also, if\n" + "# they include a Key Usage extension, the keyCertSign bit must be set. These\n" + "# checks, enabled by default, can be disabled for backward-compatibility\n" + "# purposes with the jdk.security.allowNonCaAnchor System and Security\n" + "# properties. In the case that both properties are simultaneously set, the\n" + "# System value prevails. The default value of the property is \"false\".\n" + "#\n" + "#jdk.security.allowNonCaAnchor=true\n\n" + "#\n" + "# The default Character set name (java.nio.charset.Charset.forName())\n" + "# for converting TLS ALPN values between byte arrays and Strings.\n" + "# Prior versions of the JDK may use UTF-8 as the default charset. If\n" + "# you experience interoperability issues, setting this property to UTF-8\n" + "# may help.\n" + "#\n" + "# jdk.tls.alpnCharset=UTF-8\n" + "jdk.tls.alpnCharset=ISO_8859_1\n\n" + "#\n" + "# JNDI Object Factories Filter\n" + "#\n" + "# This filter is used by the JNDI runtime to control the set of object factory classes\n" + "# which will be allowed to instantiate objects from object references returned by\n" + "# naming/directory systems. The factory class named by the reference instance will be\n" + "# matched against this filter. The filter property supports pattern-based filter syntax\n" + "# with the same format as jdk.serialFilter.\n" + "#\n" + "# Each pattern is matched against the factory class name to allow or disallow it's\n" + "# instantiation. The access to a factory class is allowed unless the filter returns\n" + "# REJECTED.\n" + "#\n" + "# Note: This property is currently used by the JDK Reference implementation.\n" + "# It is not guaranteed to be examined and used by other implementations.\n" + "#\n" + "# If the system property jdk.jndi.object.factoriesFilter is also specified, it supersedes\n" + "# the security property value defined here. The default value of the property is \"*\".\n" + "#\n" + "# The default pattern value allows any object factory class specified by the reference\n" + "# instance to recreate the referenced object.\n" + "#jdk.jndi.object.factoriesFilter=*\n"; final Pattern pattern = Pattern.compile(regex, Pattern.MULTILINE); final Matcher matcher = pattern.matcher(string); while (matcher.find()) { System.out.println("Full match: " + matcher.group(0)); for (int i = 1; i <= matcher.groupCount(); i++) { System.out.println("Group " + i + ": " + matcher.group(i)); } } } }

Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for Java, please visit: https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html