client.policy 文件许可权

Java™ 2 安全性使用若干策略文件,为每个 Java 程序确定授予的许可权。

要获取 WebSphere® Application Server 支持的可用策略文件列表,请参阅 Java 2 安全策略文件
  • client.policy 文件是节点上的所有 WebSphere Application Server 客户机容器和 Applet 共享的缺省策略文件。
  • java.policy 文件与 client.policy 文件中所共有的许可权赋予节点上运行的所有 WebSphere Application Server 客户机容器和 Applet。
  • client.policy 文件不是资源库和文件复制服务管理的配置文件。对此文件的更改是本地的,而不会复制到其他机器。
  • WebSphere Application Server 提供的 client.policy 文件位于 profile_root/properties/client.policy
  • 如果客户机的缺省许可权(java.policy 文件中定义的许可权和 client.policy 文件中定义的许可权并集)已足够,无需其他操作。自动选取缺省客户机策略。
  • 如果节点上的一些客户机容器和 applet 需要特定更改,请使用策略工具修改 client.policy 文件。请参阅使用 PolicyTool 来编辑 Java 2 安全性的策略文件,已编辑策略文件。对 client.policy 文件的更改在节点的本地。

此文件包含这些缺省许可权:

[AIX Solaris HP-UX Linux Windows][z/OS]
grant codeBase "file:${was.install.root}/java/ext/*" {
  permission java.security.AllPermission;
};

// JDK classes
grant codeBase "file:${was.install.root}/java/ext/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/java/tools/ibmtools.jar" {
  permission java.security.AllPermission;
};
grant codeBase "file:/QIBM/ProdData/Java400/jdk14/lib/tools.jar" {
  permission java.security.AllPermission;
};

// WebSphere system classes
grant codeBase "file:${was.install.root}/lib/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/plugins/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/classes/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/installedConnectors/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:${user.install.root}/installedConnectors/-" {
  permission java.security.AllPermission;
};

grant codeBase "file:${was.install.root}/installedChannels/-" {
  permission java.security.AllPermission;
};

// J2EE 1.4 permissions for client container applications 
// in $WAS_HOME/installedApps
grant codeBase "file:${user.install.root}/installedApps/-" {
  //Application client permissions
  permission java.awt.AWTPermission "accessClipboard";
  permission java.awt.AWTPermission "accessEventQueue";
  permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
  permission java.lang.RuntimePermission "exitVM";
  permission java.lang.RuntimePermission "loadLibrary";
  permission java.lang.RuntimePermission "queuePrintJob";
  permission java.net.SocketPermission "*", "connect";
  permission java.net.SocketPermission "localhost:1024-", "accept,listen";
  permission java.io.FilePermission "*", "read,write";
  permission java.util.PropertyPermission "*", "read";

};

// J2EE 1.4 permissions for client container - expanded ear file code base
grant codeBase "file:${com.ibm.websphere.client.applicationclient.archivedir}/-" {
  permission java.awt.AWTPermission "accessClipboard";
  permission java.awt.AWTPermission "accessEventQueue";
  permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
  permission java.lang.RuntimePermission "exitVM";
  permission java.lang.RuntimePermission "loadLibrary";
  permission java.lang.RuntimePermission "queuePrintJob";
  permission java.net.SocketPermission "*", "connect";
  permission java.net.SocketPermission "localhost:1024-", "accept,listen";
  permission java.io.FilePermission "*", "read,write";
  permission java.util.PropertyPermission "*", "read";
};
[IBM i]
grant codeBase "file:${was.install.root}/java/ext/*" {
  permission java.security.AllPermission;
};

// JDK classes
grant codeBase "file:${was.install.root}/java/ext/-" {
  permission java.security.AllPermission;
};

// Allow to use additional ibm jdk extensions with j9
grant codeBase "file:${was.install.root}/java/extj9/-" {
  permission java.security.AllPermission;
};

// Allow to use sun and ibm tools
grant codeBase "file:${was.install.root}/java/tools/-" {
  permission java.security.AllPermission;
};

// WebSphere system classes
grant codeBase "file:${was.install.root}/lib/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/plugins/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/classes/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/installedConnectors/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:${user.install.root}/installedConnectors/-" {
  permission java.security.AllPermission;
};

grant codeBase "file:${was.install.root}/installedChannels/-" {
  permission java.security.AllPermission;
};

grant codeBase "file:${was.install.root}/util/-" {
  permission java.security.AllPermission;
};

grant codeBase "file:${user.install.root}/lib/-" {
  permission java.security.AllPermission;
};

grant codeBase "file:${user.install.root}/classes/-" {
  permission java.security.AllPermission;
};

// J2EE 1.4 permissions for client container applications in $WAS_HOME/installedApps
grant codeBase "file:${user.install.root}/installedApps/-" {
  //Application client permissions
  permission java.awt.AWTPermission "accessClipboard";
  permission java.awt.AWTPermission "accessEventQueue";
  permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
  permission java.lang.RuntimePermission "exitVM";
  permission java.lang.RuntimePermission "loadLibrary";
  permission java.lang.RuntimePermission "queuePrintJob";
  permission java.net.SocketPermission "*", "connect";
  permission java.net.SocketPermission "localhost:1024-", "accept,listen";
  permission java.io.FilePermission "*", "read,write";
  permission java.util.PropertyPermission "*", "read";

};

// J2EE 1.4 permissions for client container - expanded ear file code base
grant codeBase "file:${com.ibm.websphere.client.applicationclient.archivedir}/-" {
  permission java.awt.AWTPermission "accessClipboard";
  permission java.awt.AWTPermission "accessEventQueue";
  permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
  permission java.lang.RuntimePermission "exitVM";
  permission java.lang.RuntimePermission "loadLibrary";
  permission java.lang.RuntimePermission "queuePrintJob";
  permission java.net.SocketPermission "*", "connect";
  permission java.net.SocketPermission "localhost:1024-", "accept,listen";
  permission java.io.FilePermission "*", "read,write";
  permission java.util.PropertyPermission "*", "read";
};

在启动时,本地节点上所有客户机容器和 applet 将被授予已更新的许可权。如果节点上的一些客户机容器或 applet 需要 java.policy 文件中未定义为缺省许可权和缺省 client.policy 文件,请更新 client.policy 文件。缺少许可权将创建 java.security.AccessControlException 异常。缺少的许可权列出在异常数据中,例如,

[AIX Solaris HP-UX Linux Windows][z/OS]
java.security.AccessControlException: access denied (java.io.FilePermission 
C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar read)
[IBM i]
java.security.AccessControlException: access denied (java.io.FilePermission 
app_server_root/Base/lib/mail-impl.jar read)

该示例的前两行是一个连续行,目前这样显示只是为了便于说明。

[AIX Solaris HP-UX Linux Windows][z/OS]当客户机程序接收到此异常,并且认为添加此许可权合理时,请添加对 client.policy 文件的许可权,例如:
grant codebase "file:user_client_installed_location" {permission
 java.io.FilePermission "C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar", "read"; };
[IBM i]当客户机程序接收到此异常,并且认为添加此许可权合理时,请添加对 client.policy 文件的许可权,例如:
grant codebase "file:user_client_installed_location" { permission
 java.io.FilePermission "app_server_root/lib/mail-impl.jar", "read"; };

要确定是否添加许可权,请参阅“Java 2 安全性的访问控制异常”。

如果您更新策略文件,那么必须重新启动浏览器和所有客户机应用程序。


指示主题类型的图标 参考主题



时间戳记图标 最近一次更新时间: last_date
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=rsec_clientpolicy
文件名:rsec_clientpolicy.html