server.policy 文件许可权
Java™ 2 安全性使用若干策略文件,为每个 Java 程序确定授予的许可权。
请参阅 Java 2 安全策略文件,以获取 WebSphere® Application Server 支持的可用策略文件列表。
server.policy 文件是由节点上的所有 WebSphere Application Server 共享的缺省策略文件。server.policy 文件并非由存储库和文件复制服务器管理的配置文件。对此文件的更改是本地的,而不会复制到其他机器。
如果服务器的缺省许可权(在 java.policy 文件和 server.policy 文件中定义的许可权的并集)够用,那么无需执行任何操作。自动选取缺省服务器策略。如果节点上有一些服务器程序需要特定更改,用策略工具更新 server.policy 文件。请参阅使用 PolicyTool 来编辑 Java 2 安全性的策略文件以编辑策略文件。对节点的 server.policy 文件的更改是本地的。策略文件中的语法错误将导致应用程序服务器失败。仔细地编辑这些策略文件。更新的 server.policy 文件应用到本地节点上的所有服务器程序。重新启动服务器,以使更新生效。
当您需要修改 server.policy 文件时,可在 profile_root/properties/server.policy 处找到此文件。此文件包含这些缺省许可权:
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
// Allow to use sun tools
grant codeBase "file:${java.home}/../lib/tools.jar" {
permission java.security.AllPermission;
};
// WebSphere system classes
grant codeBase "file:${was.install.root}/plugins/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/classes/-" {
permission java.security.AllPermission;
};
// Allow the WebSphere deploy tool all permissions
grant codeBase "file:${was.install.root}/deploytool/-" {
permission java.security.AllPermission;
};
// Allow Channel Framework classes all permission
grant codeBase "file:${was.install.root}/installedChannels/-" {
permission java.security.AllPermission;
};
// WebSphere optional runtime classes
grant codeBase "file:${was.install.root}/optionalLibraries/-" {
permission java.security.AllPermission;
};
![[IBM i]](../images/iseries.gif)
// Allow to use sun tools
grant codeBase "file:${java.home}/../lib/tools.jar" {
permission java.security.AllPermission;
};
// Allow to use ibm jdk extensions
grant codeBase "file:${was.install.root}/java/ext/-" {
permission java.security.AllPermission;
};
// Allow to use additional ibm jdk extensions with j9
grant codeBase "file:${was.install.root}/java/extj9/-" {
permission java.security.AllPermission;
};
// Allow to use sun and ibm tools
grant codeBase "file:${was.install.root}/java/tools/-" {
permission java.security.AllPermission;
};
// WebSphere system classes
grant codeBase "file:${was.install.root}/plugins/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/classes/-" {
permission java.security.AllPermission;
};
// Allow the WebSphere deploy tool all permissions
grant codeBase "file:${was.install.root}/deploytool/-" {
permission java.security.AllPermission;
};
// Allow the WebSphere deploy tool all permissions
grant codeBase "file:${was.install.root}/optionalLibraries/-" {
permission java.security.AllPermission;
};
// Allow Channel Framework classes all permission
grant codeBase "file:${was.install.root}/installedChannels/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/util/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${user.install.root}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${user.install.root}/classes/-" {
permission java.security.AllPermission;
};
![[z/OS]](../images/ngzos.gif)
// Allow to use sun tools
grant codeBase "file:${java.home}/lib/tools.jar" {
permission java.security.AllPermission;
};
// Allow the WebSphere deploy tool all permissions
grant codeBase "file:${was.install.root}/deploytool/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/plugins/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/classes/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${smpe.install.root}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${smpe.install.root}/-" {
permission java.security.AllPermission;
};
// Allow to use TAM
grant codeBase "file:${was.install.root}/tivoli/tam/PD.jar" {
permission java.security.AllPermission;
};
如果节点上有一些服务器程序需要许可权,而这些许可权在 server.policy 文件和 server.policy 文件中未定义为缺省值,那么更新 server.policy 文件。缺少许可权将创建 java.security.AccessControlException 异常。缺少的许可权在异常数据中列示。
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
java.security.AccessControlException: access denied (java.io.FilePermission
C:\WebSphere\AppServer\java\jre\lib\ext\mail-impl.jar read)
![[IBM i]](../images/iseries.gif)
java.security.AccessControlException: access denied (java.io.FilePermission
app_server_rootBase/lib/mail-impl.jar read)
之前两行之所以分为两行只是为了便于说明。
当 Java 程序接收到此异常,并且允许添加此许可权时,请在 server.policy 文件中添加许可权。
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
grant codeBase "file:user_client_installed_location" {
permission java.io.FilePermission
"C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar", "read"; };
![[IBM i]](../images/iseries.gif)
grant codeBase "file:user_client_installed_location" {
permission java.io.FilePermission
"app_server_root/Base/lib/mail-impl.jar", "read"; };
要确定是否添加许可权,请参阅“Java 2 安全性的访问控制异常”。
重新启动所有 Java 进程,以使更新后的 server.policy 文件生效。