Configuring app.policy files

Before you begin

Java 2 security uses several policy files to determine the granted permissions for each Java program. See the Dynamic policy article for the list of available policy files supported by WebSphere Application Server. The app.policy file is a default policy file shared by all of the WebSphere Application Server enterprise applications. The union of the permissions contained in the java.policy file, the server.policy file, the app.policy file, the application was.policy file and the permission specification of the ra.xml file are applied to the WebSphere Application Server enterprise application. The app.policy files are managed by configuration and file replication services. Changes made in these files are replicated to other nodes in the Network Deployment cell.

Note: The Signed By and the Java Authentication and Authorization Service (JAAS) principal keywords are not supported in the app.policy file. However, the Signed By keyword is supported in the following files: java.policy, server.policy, and the client.policy files. The JAAS principal keyword is supported in a JAAS policy file when it is specified by the Java Virtual Machine (JVM) system property, java.security.auth.policy. You can statically set the authorization policy files in java.security.auth.policy with auth.policy.url.n=URL where URL is the location of the authorization policy.

Why and when to perform this task

If the default permissions for enterprise applications (the union of the permissions defined in the java.policy file, the server.policy file and the app.policy file) are enough, no action is required. The default app.policy file is used automatically. If a specific change is required to all of the enterprise applications in the node to which the app.policy belongs, then update the app.policy file. Syntax errors in the policy files cause start failures in the application servers. Edit these policy files carefully.

Note: Updates to the app.policy file only apply to the enterprise applications on the node to which the app.policy file belongs. There is no Java security policy file in WebSphere Application Server that enforces policies over all enterprise applications in a cell.

Steps for this task

  1. Extract the policy file.
    1. From the command prompt, enter wsadmin wsadmin> set obj [$AdminConfig extract cells/cell_name/node/node_name/app.policy c:/temp/test/app.policy].
  2. Edit the extracted app.policy file with the Policy Tool.
  3. Check in the policy file.
    1. Enter the following at a command prompt wsadmin> $AdminConfig checkin cells/cell_name/nodes/node_name/app.policyc:/temp/test/was.policy $obj.

Results

The default Java 2 security policies have been changed for the enterprise application.

Example

Symbol Meaning
file:${application} Permissions apply to all resources within the application
file:${jars} Permissions apply to all utility Java archive (JAR) files within the application
file:${ejbComponent} Permissions apply to enterprise bean resources within the application
file:${webComponent} Permissions apply to Web resources within the application
file:${connectorComponent} Permissions apply to connector resources both within the application and within stand-alone connector resources.


There are five embedded symbols provided to specify the path and name for java.io.FilePermission. These symbols enable flexible permission specifications. The absolute file path is fixed after the installation of the application.

Symbol Meaning
${app.installed.path} Path where the application is installed
${was.module.path} Path where the module is installed
${current.cell.name} Current cell name
${current.node.name} Current node name
${current.server.name} Current server name


Note: You cannot use the ${was.module.path} in the ${application} entry.

The app.policy file supplied by WebSphere Application Server resides at install_root/config/cells/cell_name/nodes/node_name/app.policy, which contains the following default permissions:

Note: In the following code sample, the first two lines related to permission java.io.FilePermission were split into two lines each due to the width of the printed page.

grant codeBase "file:${application}" {
  // The following are required by Java mail
  permission java.io.FilePermission "${was.install.root}${/}java${/}
  jre${/}lib${/}ext${/}mail.jar", "read";
  permission java.io.FilePermission "${was.install.root}${/}java${/}
  jre${/}lib${/}ext${/}activation.jar", "read";
};

grant codeBase "file:${jars}" {
  permission java.net.SocketPermission "*", "connect";
  permission java.util.PropertyPermission "*", "read";
};

grant codeBase "file:${connectorComponent}" {
  permission java.net.SocketPermission "*", "connect";
  permission java.util.PropertyPermission "*", "read";
};
grant codeBase "file:${webComponent}" {
  permission java.io.FilePermission "${was.module.path}${/}-", "read, write";
  permission java.lang.RuntimePermission "loadLibrary.*";
  permission java.lang.RuntimePermission "queuePrintJob";
  permission java.net.SocketPermission "*", "connect";
  permission java.util.PropertyPermission "*", "read";
};

grant codeBase "file:${ejbComponent}" {
 permission java.lang.RuntimePermission "queuePrintJob";
 permission java.net.SocketPermission "*", "connect";
 permission java.util.PropertyPermission "*", "read";
};

If all of the WebSphere Application Server enterprise applications in a node require permissions that are not defined as defaults in the java.policy file, the server.policy file and the app.policy file, then update the app.policy file that belongs to the node.

Note: Updates to the app.policy file only apply to the enterprise applications on the node to which the app.policy file belongs. There is no Java security policy file in WebSphere Application Server that enforces policies over all enterprise applications in a cell.

. The symptom of a missing permission is the exception, java.security.AccessControlException. The missing permission is listed in the exception data, for example, java.security.AccessControlException: access denied (java.io.FilePermission C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar read).

When a Java program receives this exception and adding this permission is justified, add a permission to the server.policy file, for example:

grant codeBase "file:<user client installed location>" {   
permission java.io.FilePermission 
"C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar", "read"; };

To decide whether to add a permission, refer to the article AccessControlException.

What to do next

Restart all WebSphere Application Server enterprise applications to ensure that the updated app.policy file takes effect.

Related concepts
Java 2 security policy files
AccessControlException
Related tasks
Migrating security configurations from previous releases
Configuring server.policy files
Configuring client.policy files
Configuring filter.policy files
Configuring java.policy files
Using PolicyTool to edit policy files



Searchable topic ID:   tsecapppolicy
Last updated: Jun 21, 2007 4:55:42 PM CDT    WebSphere Application Server Network Deployment, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tsec_apppolicy.html

Library | Support | Terms of Use | Feedback