Before you begin
Java 2 security is a new feature in WebSphere Application Server Version 5. It is a new programming model that is very pervasive and has a huge impact on application development. It is disabled by default, but is enabled automatically when global security is enabled. However, Java 2 security is orthogonal to J2EE role-based security; you can disable or enable it independently of Global Security.However, it does provide an extra level of access control protection on top of the J2EE role-based authorization. It particularly addresses the protection of system resources and APIs. Administrators should need to consider the benefits against the risks of disabling Java 2 Security.
The following recommendations are provided to help enable Java 2 security in a test or production environment:
Note: The default permission set for applications is the recommended permission set defined in the J2EE 1.3 Specification. The default is declared in the config/cells/<cell_name>/nodes/<node_name>/app.policy policy file with permissions defined in the Development Kit (${JAVA_HOME}/lib/security/java.policy) policy file that grant permissions to everyone. However, applications are denied permissions declared in the config/cells/cell_name/filter.policy filter policy file. Permissions declared in the filter.policy file are filtered for applications during the permission check.
Note: Define the required permissions for an application in a was.policy file and embed the was.policy file in the application enterprise archive (EAR) file as YOURAPP.ear/META-INF/was.policy (see Configuring Java 2 security policy files for details).
Results
Java 2 security is enabled and enforced for the servers. Java 2 security permission is selected when a Java 2 security protected API is called.When to use Java 2 security.
What to do next
The WebSphere Java 2 security manager is enhanced to dump the Java 2 security permissions granted to all classes on the call stack when an application is denied access to a resource (the java.security.AccessControlException exception is thrown). However, this tracing capability is disabled by default. You can enable it by specifying the server trace service with the com.ibm.ws.security.core.SecurityManager=all=enabled trace specification. When the exception is thrown, the trace dump provides hints to determine whether the application is missing permissions or the product run time code or third party libraries used are not properly marked as privileged when accessing Java 2 protected resources. See the Security Problem Determination Guide for details.