client.policy file permissions
Java™ 2 security uses several policy files to determine the granted permission for each Java program.
- The client.policy file is a default policy file that is shared by all of the WebSphere Application Server client containers and applets on a node.
- The union of the permissions that is contained in the java.policy file and the client.policy file are given to all of the client containers for WebSphere Application Server and applets running on the node.
- The client.policy file is not a configuration file that is managed by the repository and the file replication service. Changes to this file are local and do not replicate to the other machine.
- The client.policy file supplied by WebSphere Application Server is located in the profile_root/properties/client.policy.
- If the default permissions for a client (union of the permissions defined in the java.policy file and the client.policy file) are enough, no action is required. The default client policy is picked up automatically.
- If a specific change is required to some of the client containers and applets on a node, modify the client.policy file with the Policy Tool. Refer to Usando PolicyTool para Editar Arquivos de Políticas para Segurança Java 2, to edit policy files. Changes to the client.policy file are local for the node.
This file contains these default permissions:
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
grant codeBase "file:${was.install.root}/java/ext/*" {
permission java.security.AllPermission;
};
// JDK classes
grant codeBase "file:${was.install.root}/java/ext/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/java/tools/ibmtools.jar" {
permission java.security.AllPermission;
};
grant codeBase "file:/QIBM/ProdData/Java400/jdk14/lib/tools.jar" {
permission java.security.AllPermission;
};
// WebSphere system classes
grant codeBase "file:${was.install.root}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/plugins/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/classes/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/installedConnectors/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${user.install.root}/installedConnectors/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/installedChannels/-" {
permission java.security.AllPermission;
};
// J2EE 1.4 permissions for client container applications
// in $WAS_HOME/installedApps
grant codeBase "file:${user.install.root}/installedApps/-" {
//Application client permissions
permission java.awt.AWTPermission "accessClipboard";
permission java.awt.AWTPermission "accessEventQueue";
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
permission java.lang.RuntimePermission "exitVM";
permission java.lang.RuntimePermission "loadLibrary";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.net.SocketPermission "localhost:1024-", "accept,listen";
permission java.io.FilePermission "*", "read,write";
permission java.util.PropertyPermission "*", "read";
};
// J2EE 1.4 permissions for client container - expanded ear file code base
grant codeBase "file:${com.ibm.websphere.client.applicationclient.archivedir}/-" {
permission java.awt.AWTPermission "accessClipboard";
permission java.awt.AWTPermission "accessEventQueue";
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
permission java.lang.RuntimePermission "exitVM";
permission java.lang.RuntimePermission "loadLibrary";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.net.SocketPermission "localhost:1024-", "accept,listen";
permission java.io.FilePermission "*", "read,write";
permission java.util.PropertyPermission "*", "read";
};
![[IBM i]](../images/iseries.gif)
grant codeBase "file:${was.install.root}/java/ext/*" {
permission java.security.AllPermission;
};
// JDK classes
grant codeBase "file:${was.install.root}/java/ext/-" {
permission java.security.AllPermission;
};
// Allow to use additional ibm jdk extensions with j9
grant codeBase "file:${was.install.root}/java/extj9/-" {
permission java.security.AllPermission;
};
// Allow to use sun and ibm tools
grant codeBase "file:${was.install.root}/java/tools/-" {
permission java.security.AllPermission;
};
// WebSphere system classes
grant codeBase "file:${was.install.root}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/plugins/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/classes/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/installedConnectors/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${user.install.root}/installedConnectors/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/installedChannels/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/util/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${user.install.root}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${user.install.root}/classes/-" {
permission java.security.AllPermission;
};
// J2EE 1.4 permissions for client container applications in $WAS_HOME/installedApps
grant codeBase "file:${user.install.root}/installedApps/-" {
//Application client permissions
permission java.awt.AWTPermission "accessClipboard";
permission java.awt.AWTPermission "accessEventQueue";
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
permission java.lang.RuntimePermission "exitVM";
permission java.lang.RuntimePermission "loadLibrary";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.net.SocketPermission "localhost:1024-", "accept,listen";
permission java.io.FilePermission "*", "read,write";
permission java.util.PropertyPermission "*", "read";
};
// J2EE 1.4 permissions for client container - expanded ear file code base
grant codeBase "file:${com.ibm.websphere.client.applicationclient.archivedir}/-" {
permission java.awt.AWTPermission "accessClipboard";
permission java.awt.AWTPermission "accessEventQueue";
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
permission java.lang.RuntimePermission "exitVM";
permission java.lang.RuntimePermission "loadLibrary";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.net.SocketPermission "localhost:1024-", "accept,listen";
permission java.io.FilePermission "*", "read,write";
permission java.util.PropertyPermission "*", "read";
};
All of the client containers and applets on the local node are granted the updated permissions when they start. If some client containers or applets on a node require permissions that are not defined as defaults in the java.policy file and the default client.policy file, update the client.policy file. The missing permission creates the java.security.AccessControlException exception. The missing permission is listed in the exception data, for example,
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
java.security.AccessControlException: access denied (java.io.FilePermission
C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar read)
![[IBM i]](../images/iseries.gif)
java.security.AccessControlException: access denied (java.io.FilePermission
app_server_root/Base/lib/mail-impl.jar read)
The previous two lines of the example are one continuous line, but presented as such for illustrative purposes only.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
grant codebase "file:user_client_installed_location" {permission
java.io.FilePermission "C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar", "read"; };
![[IBM i]](../images/iseries.gif)
grant codebase "file:user_client_installed_location" { permission
java.io.FilePermission "app_server_root/lib/mail-impl.jar", "read"; };
To decide whether to add a permission, refer to Access control exception for Java 2 security.
If you update the policy file, you must restart the browser and any client applications.