You should update the was.policy file if the application has specific resources to access.
profile_root/config/cells/cell_name/applications/ ear_file_name/deployments/application_name/META-INF/was.policy
See Java 2 security policy files for the list of available policy files that are supported by WebSphere Application Server Version 6.1.
Changes made in these files are replicated to other nodes in the cell.
Symbol | Definition |
---|---|
file:${application} | Permissions apply to all resources used within the application. |
file:${jars} | Permissions apply to all utility Java archive (JAR) files within the application |
file:${ejbComponent} | Permissions apply to enterprise bean resources within the application |
file:${webComponent} | Permissions apply to Web resources within the application |
file:${connectorComponent} | Permissions apply to connector resources within the application |
grant codeBase "file:${application}" { permission java.lang.RuntimePermission "stopThread"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; };An administrator can add the thread permissions to the app.policy file, but the permission change requires a restart of WebSphere Application Server.
grant codeBase "file:DefaultWebApplication.war" { permission java.security.SecurityPermission "printIdentity"; }; grant codeBase "file:IncCMP11.jar" { permission java.io.FilePermission "${user.install.root}${/}bin${/}DefaultDB${/}-", "read,write,delete"; };
Symbol | Definition |
---|---|
${app.installed.path} | Path where the application is installed |
${was.module.path} | Path where the module is installed |
${current.cell.name} | Current cell name |
${current.node.name} | Current node name |
${current.server.name} | Current server name |
java.policyserver.policyapp.policywas.policyjava.security.
AccessControlExceptionjava.security.AccessControlException:
access denied (java.io.FilePermission
app_server_root/lib/ext/mail-impl.jar read)
If an application must access a specific resource
that is not defined as a default in the java.policy file, the server.policy file,
and the app.policy, delete the was.policy file for that
application. The symptom of the missing permission is the java.security.AccessControlException
exception. The missing permission is listed in the exception data:
java.security.AccessControlException: access denied (java.io.FilePermission
app_server_root/lib/ext/mail-impl.jar read)
java.security.AccessControlException: access denied (java.io.FilePermission app_server_root/lib/mail-impl.jar read)
The previous example was split onto several lines for illustrative purposes only.
When a Java program receives this exception and adding this permission is justified, add the following permission to the was.policy file:
grant codeBase "file:user_client_installed_location" { permission java.io.FilePermission "app_server_root/lib/mail-impl.jar", "read"; };
grant codeBase "file:user_client_installed_location" { permission java.io.FilePermission "app_server_root/lib/ext/mail-impl.jar", "read"; };
The previous example was split onto several lines for illustrative purposes only.
To determine whether to add a permission, see Access control exception.
In this information ...Related concepts
Related tasks
Configuring Java 2 security policy files | IBM Redbooks, demos, education, and more |