Java 2 security uses several policy files to determine the granted permissions for each Java program.
Changes made in these files are replicated to other nodes in the Network Deployment cell.
grant codeBase "file:${application}" { permission java.lang.RuntimePermission "stopThread"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; };
If the default permissions for enterprise applications (the union of the permissions that is defined in the java.policy file, the server.policy file and the app.policy file) are enough; no action is required. The default app.policy file is used automatically. If a specific change is required to all of the enterprise applications in the cell, update the app.policy file. Syntax errors in the policy files cause start failures in the application servers. Edit these policy files carefully.
To extract the policy file, use a command prompt to enter the following command on one line using the appropriate variable values for your environment:
wsadmin> set obj [$AdminConfig extract profiles/profile_name/cells/cell_name/node/
node_name/app.policy c:/temp/test/app.policy]
Edit the extracted app.policy file with the Policy Tool. For more information, see Using PolicyTool to edit policy files . Changes to the app.policy file are local for the node.
To check in the policy file, use a command prompt to enter the following command on one line using the appropriate variable values for your environment:
wsadmin> $AdminConfig checkin profiles/profile_name/cells/cell_name/nodes/
node_name/app.policy c:/temp/test/was.policy $obj
Several product-reserved symbols are defined to associate the permission lists to a specific type of resource.
Symbol | Meaning |
---|---|
file:${application} | Permissions apply to all resources within the application |
file:${jars} | Permissions apply to all utility Java archive (JAR) files within the application |
file:${ejbComponent} | Permissions apply to enterprise bean resources within the application |
file:${webComponent} | Permissions apply to Web resources within the application |
file:${connectorComponent} | Permissions apply to connector resources both within the application and within standalone connector resources. |
Symbol | Meaning |
---|---|
${app.installed.path} | Path where the application is installed |
${was.module.path} | Path where the module is installed |
${current.cell.name} | Current cell name |
${current.node.name} | Current node name |
${current.server.name} | Current server name |
The app.policy file that is supplied by WebSphere Application Server resides at app_server_root/profiles/profile_name/config/cells/cell_name/nodes/node_name/app.policy, which contains the following default permissions:
grant codeBase "file:${application}" { // The following are required by Java mail permission java.io.FilePermission "${was.install.root}${/}lib${/}mail-impl.jar", "read"; permission java.io.FilePermission "${was.install.root}${/}lib${/}activation-impl.jar", "read"; }; grant codeBase "file:${jars}" { permission java.net.SocketPermission "*", "connect"; permission java.util.PropertyPermission "*", "read"; }; grant codeBase "file:${connectorComponent}" { permission java.net.SocketPermission "*", "connect"; permission java.util.PropertyPermission "*", "read"; }; grant codeBase "file:${webComponent}" { permission java.io.FilePermission "${was.module.path}${/}-", "read, write"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.util.PropertyPermission "*", "read"; }; grant codeBase "file:${ejbComponent}" { permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.util.PropertyPermission "*", "read"; };
If all of the WebSphere Application Server enterprise applications in a cell require permissions that are not defined as defaults in the java.policy file, the server.policy file and the app.policy file, then update the app.policy file. The symptom of a missing permission is the java.security.AccessControlException exception.
The missing permission is listed in the exception data, for example, java.security.AccessControlException: access denied (java.io.FilePermission C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar read).
When a Java program receives this exception and adding this permission is justified, add a permission to the server.policy file, for example:
grant codeBase "file:user_client_installed_location" { permission java.io.FilePermission "C:/WebSphere/AppServer/java/jre/lib/ext/mail.jar", "read"; };
To decide whether to add a permission, refer to the AccessControlException topic.
Restart all WebSphere Application Server enterprise applications to ensure that the updated app.policy file takes effect.