Configuring Java 2 security policy files
Users can configure Java™ 2 security policy files so that the required permission is granted for the specified WebSphere® Application Server enterprise application.
Before you begin
See the Java 2 security policy files topic for the list of available policy files that are supported by WebSphere Application Server.
Policy file name | Description |
---|---|
app.policy | Contains default permissions for
all of the enterprise applications in the cell. Note: Updates to the app.policy file
only apply to the enterprise applications on the node to which the app.policy file
belongs.
|
was.policy | Contains application-specific permissions for an WebSphere Application Server enterprise application. This file is packaged in an enterprise archive (EAR) file. |
ra.xml | Contains connector application specific permissions for a WebSphere Application Server enterprise application. This file is packaged in a resource adapter archive (RAR) file. |
spi.policy | Contains permissions for Service Provider Interface (SPI) or third-party resources that are embedded in WebSphere Application Server. The default contents grant everything. Update this file carefully when the cell requires more protection against SPI in the cell. This file is applied to all of the SPIs that are defined in the resources.xml file. |
library.policy | Contains permissions for the shared library of enterprise applications. |
filter.policy | Contains the list of permissions that require filtering from the was.policy file and the app.policy file in the cell. This filtering mechanism only applies to the was.policy and app.policy files. |
grant codeBase "file:${application}" {
permission java.lang.RuntimePermission "stopThread";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "modifyThreadGroup";
};
Procedure
Results
Example
If a WebSphere Application Server enterprise application in a cell requires permissions, some of the dynamic policy files need updating. The symptom of the missing permission is the java.security.AccessControlException exception. The missing permission is listed in the following exception data, which appears as one line, but is split into sections for readability.
java.security.AccessControlException: access denied (java.io.FilePermission
${was.install.root}/java/ext/mail.jar read)
When a Java program receives this exception and adding this permission is justified, add a permission to an adequate dynamic policy file.
grant codeBase "file:user_client_installed_location" {
permission java.io.FilePermission
"${was.install.root}$(/)java$(/)jre$(/)lib$(/)ext$(/)mail.jar", "read";
};
The previous permission information lines are split for the illustration. Enter the permission on one line.
To decide whether to add a permission, refer to the Access control exception for Java 2 security topic.