The Java 2 Platform, Enterprise Edition (J2EE) Version 1.3 specification has a well-defined programming model of responsibilities between the container providers and the application code. Using Java 2 security manager to help enforce this programming model is recommended. Certain operations are not supported in the application code because such operations interfere with the behavior and operation of the containers. The Java 2 security manager is used in the product to enforce responsibilities of the container and the application code.
This product provides support for policy file management. A number of policy files in the product are either static or dynamic. Dynamic policy is a template of permissions for a particular type of resource. No relative code base is defined in the dynamic policy template. The code base is dynamically calculated from the deployment and run-time data.
Static policy files
Policy file | Location |
---|---|
java.policy | install_root/java/jre/lib/security/java.policy. Default permissions granted to all classes. The policy of this file applies to all the processes launched by WebSphere Application Server. |
server.policy | install_root/profiles/profile_name/properties/server.policy. Default permissions granted to all the product servers. |
client.policy | install_root/profiles/profile_name/properties/client.policy. Default permissions for all of the product client containers and applets on a node. |
Dynamic policy files
Policy file | Location |
---|---|
spi.policy | install_root/profiles/profile_name/config/cells/cell_name This template is for the Service Provider Interface (SPI) or the third-party resources that are embedded in the product. Examples of SPI are the Java Message Service (JMS) in MQ Series and JDBC drivers. The code base for the embedded resources are dynamically determined from the configuration (resources.xml file) and run-time data, and permissions that are defined in the spi.policy files are automatically applied to these resources and JAR files specified in the class path of a ResourceAdapter. The default permission of the spi.policy file is java.security.AllPermissions. |
library.policy | install_root/profiles/profile_name/config/cells/cell_name/nodes This template is for the library (Java library classes). You can define a shared library to use in multiple product applications. The default permission of the library.policy is empty. |
app.policy | install_root/profiles/profile_name/config/cells/cell_name The app.policy file defines the default permissions that are granted to all the enterprise applications running on node_name in cell_name. |
was.policy | install_root/config/cells/cell_name This template is for application-specific permissions. The was.policy file is embedded in the enterprise archive (EAR) file. |
ra.xml | rar_file_name/META-INF/was.policy.RAR. This file can have a permission specification that is defined in the ra.xml file. The ra.xml file is embedded in the RAR file. |
Syntax of the policy file
grant [codebase <Codebase>] {
permission <Permission>;
permission <Permission>;
permission <Permission>;
};
<CodeBase>: A URL.
For example, "file:${java.home}/lib/tools.jar"
When [codebase <Codebase>] is not specified, listed
permissions are applied to everything.
If URL ends with a JAR file name, only the classes in the
JAR file belong to the codebase.
If URL ends with "/", only the class files in the specified
directory belong to the codebase.
If URL ends with "*", all JAR and class files in the specified
directory belong to the codebase.
If URL ends with "-", all JAR and class files in the specified
directory and its subdirectories belong to the codebase.
<Permissions>: Consists from
Permission Type : class name of the permission
Target Name : name specifying the target
Actions : actions allowed on target
For example,
java.io.FilePermission "/tmp/xxx", "read,write"
Syntax of dynamic policy
You can define permissions for specific types of resources in dynamic policy files for an enterprise application. This action is achieved by using product-reserved symbols. The reserved symbol scope depends on where it is defined. If you define the permissions in the app.policy file, the symbol applies to all the resources on all of the enterprise applications that run on node_name. If you define the permissions in the META-INF/was.policy file, the symbol applies only to the specific enterprise application. Valid symbols for the code base are listed in the following table:Symbol | Meaning |
---|---|
file:${application} | Permissions apply to all resources within the application |
file:${jars} | Permissions apply to all utility Java archive (JAR) files within the application |
file:${ejbComponent} | Permissions apply to Enterprise JavaBeans (EJB) resources within the application |
file:${webComponent} | Permissions apply to Web resources within the application |
file:${connectorComponent} | Permissions apply to connector resources within the application |
grant codeBase "file:DefaultWebApplication.war" {
permission java.security.SecurityPermission "printIdentity";
};
grant codeBase "file:IncCMP11.jar" {
permission java.io.FilePermission
"${user.install.root}${/}bin${/}DefaultDB${/}-",
"read,write,delete";
};
The sixth and seventh lines in the previous code sample are one continuous line.
You can use a relative code base only in the META-INF/was.policy file.
Symbol | Meaning |
---|---|
file:${application} | Permissions apply to all resources within the application |
file:${jars} | Permissions apply to all utility JAR files within the application |
file:${ejbComponent} | Permissions apply to enterprise beans resources within the application |
file:${webComponent} | Permissions apply to Web resources within the application |
file:${connectorComponent} | Permissions apply to connector resources both within the application and in stand-alone connector resources. |
Symbol | Meaning |
---|---|
${app.installed.path} | Path where the application is installed |
${was.module.path} | Path where the module is installed |
${current.cell.name} | Current cell name |
${current.node.name} | Current node name |
${current.server.name} | Current server name |
Carefully determine where to add a new permission. An incorrectly specified permission causes an AccessControlException exception. Because dynamic policy resolves the code base at run time, determining which policy file has a problem is difficult. Add a permission only to the necessary resources. For example, use ${ejbcomponent}, and etc instead of ${application}, and update the was.policy file instead of the app.policy file, if possible.
Static policy filtering
Limited static policy filtering support exists. If the app.policy file and the was.policy file have permissions that are defined in the filter.policy file with the keyword, filterMask, the run time removes the permissions from the applications and an audit message is logged. However, if the permissions that are defined in the app.policy and the was.policy files are compound permissions, for example, java.security.AllPermission, the permission is not removed, but a warning message is written to the log file. The policy filtering only supports Developer Kit permissions, (the permissions package name begins with java or javax).
Run-time policy filtering support is provided to force stricter filtering. If the app.policy file and the was.policy file have permissions that are defined in the filter.policy file with the keyword, runtimeFilterMask, the run time removes the permissions from the applications no matter what permissions are granted to the application. For example, even if a was.policy file has the java.security.AllPermission permission granted to one of its modules, specified permissions such as runtimeFilterMask are removed from the granted permission during run time.
If the Issue Permission Warning flag in the Global Security panel is enabled and if the app.policy file and the was.policy file contain custom permissions (non-Developer Kit permissions, where the permissions package name begins with java or javax), a warning message logs. The permission is not removed. If the AllPermission permission is listed in the app.policy file and the was.policy file, a warning message logs.
Policy file editing
Using the policy tool that is provided by the Developer Kit (install_root/java/jre/bin/policytool), to edit the previous policy files is recommended. For Network Deployment, extract the policy files from the repository before editing. After the policy file is extracted, use the policy tool to edit the file. Check the modified policy files into the repository and synchronize them with other nodes.
grant {
permission javax.security.auth.PrivateCredentialPermission
"javax.resource.spi.security.PasswordCredential * \"*\" ","read";
};
Errors have occurred while opening the policy configuration.
View the warning log for more information.
Warning: Invalid argument(s) for constructor:
javax.security.auth.PrivateCredentialPermission.
grant {
permission javax.security.auth.PrivateCredentialPermission
"javax.resource.spi.security.PasswordCredential * \"*\"","read";
}
Troubleshooting
com.ibm.ws.security.policy.*=all=enabled:
com.ibm.ws.security.core.SecurityManager=all=enabled
Related tasks
Configuring Java 2 security
Using Policy Tool to edit policy files
Related reference
Java 2 security