client.policy 文件许可权
Java™ 2 安全性使用若干策略文件,为每个 Java 程序确定授予的许可权。
要获取 WebSphere® Application Server 支持的可用策略文件列表,请参阅 Java 2 安全策略文件。
- client.policy 文件是节点上的所有 WebSphere Application Server 客户机容器和 Applet 共享的缺省策略文件。
- 将 java.policy 文件与 client.policy 文件中所共有的许可权赋予节点上运行的所有 WebSphere Application Server 客户机容器和 Applet。
- client.policy 文件不是资源库和文件复制服务管理的配置文件。对此文件的更改是本地的,而不会复制到其他机器。
- WebSphere Application Server 提供的 client.policy 文件位于 profile_root/properties/client.policy。
- 如果客户机的缺省许可权(java.policy 文件中定义的许可权和 client.policy 文件中定义的许可权并集)已足够,无需其他操作。自动选取缺省客户机策略。
- 如果节点上的一些客户机容器和 applet 需要特定更改,请使用策略工具修改 client.policy 文件。请参阅使用 PolicyTool 来编辑 Java 2 安全性的策略文件,已编辑策略文件。对 client.policy 文件的更改在节点的本地。
此文件包含这些缺省许可权:
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
grant codeBase "file:${was.install.root}/java/ext/*" {
permission java.security.AllPermission;
};
// JDK classes
grant codeBase "file:${was.install.root}/java/ext/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/java/tools/ibmtools.jar" {
permission java.security.AllPermission;
};
grant codeBase "file:/QIBM/ProdData/Java400/jdk14/lib/tools.jar" {
permission java.security.AllPermission;
};
// WebSphere system classes
grant codeBase "file:${was.install.root}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/plugins/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/classes/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/installedConnectors/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${user.install.root}/installedConnectors/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/installedChannels/-" {
permission java.security.AllPermission;
};
// J2EE 1.4 permissions for client container applications
// in $WAS_HOME/installedApps
grant codeBase "file:${user.install.root}/installedApps/-" {
//Application client permissions
permission java.awt.AWTPermission "accessClipboard";
permission java.awt.AWTPermission "accessEventQueue";
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
permission java.lang.RuntimePermission "exitVM";
permission java.lang.RuntimePermission "loadLibrary";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.net.SocketPermission "localhost:1024-", "accept,listen";
permission java.io.FilePermission "*", "read,write";
permission java.util.PropertyPermission "*", "read";
};
// J2EE 1.4 permissions for client container - expanded ear file code base
grant codeBase "file:${com.ibm.websphere.client.applicationclient.archivedir}/-" {
permission java.awt.AWTPermission "accessClipboard";
permission java.awt.AWTPermission "accessEventQueue";
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
permission java.lang.RuntimePermission "exitVM";
permission java.lang.RuntimePermission "loadLibrary";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.net.SocketPermission "localhost:1024-", "accept,listen";
permission java.io.FilePermission "*", "read,write";
permission java.util.PropertyPermission "*", "read";
};
![[IBM i]](../images/iseries.gif)
grant codeBase "file:${was.install.root}/java/ext/*" {
permission java.security.AllPermission;
};
// JDK classes
grant codeBase "file:${was.install.root}/java/ext/-" {
permission java.security.AllPermission;
};
// Allow to use additional ibm jdk extensions with j9
grant codeBase "file:${was.install.root}/java/extj9/-" {
permission java.security.AllPermission;
};
// Allow to use sun and ibm tools
grant codeBase "file:${was.install.root}/java/tools/-" {
permission java.security.AllPermission;
};
// WebSphere system classes
grant codeBase "file:${was.install.root}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/plugins/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/classes/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/installedConnectors/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${user.install.root}/installedConnectors/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/installedChannels/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/util/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${user.install.root}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${user.install.root}/classes/-" {
permission java.security.AllPermission;
};
// J2EE 1.4 permissions for client container applications in $WAS_HOME/installedApps
grant codeBase "file:${user.install.root}/installedApps/-" {
//Application client permissions
permission java.awt.AWTPermission "accessClipboard";
permission java.awt.AWTPermission "accessEventQueue";
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
permission java.lang.RuntimePermission "exitVM";
permission java.lang.RuntimePermission "loadLibrary";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.net.SocketPermission "localhost:1024-", "accept,listen";
permission java.io.FilePermission "*", "read,write";
permission java.util.PropertyPermission "*", "read";
};
// J2EE 1.4 permissions for client container - expanded ear file code base
grant codeBase "file:${com.ibm.websphere.client.applicationclient.archivedir}/-" {
permission java.awt.AWTPermission "accessClipboard";
permission java.awt.AWTPermission "accessEventQueue";
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
permission java.lang.RuntimePermission "exitVM";
permission java.lang.RuntimePermission "loadLibrary";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.net.SocketPermission "localhost:1024-", "accept,listen";
permission java.io.FilePermission "*", "read,write";
permission java.util.PropertyPermission "*", "read";
};
在启动时,本地节点上所有客户机容器和 applet 将被授予已更新的许可权。如果节点上的一些客户机容器或 applet 需要 java.policy 文件中未定义为缺省许可权和缺省 client.policy 文件,请更新 client.policy 文件。缺少许可权将创建 java.security.AccessControlException 异常。缺少的许可权列出在异常数据中,例如,
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
java.security.AccessControlException: access denied (java.io.FilePermission
C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar read)
![[IBM i]](../images/iseries.gif)
java.security.AccessControlException: access denied (java.io.FilePermission
app_server_root/Base/lib/mail-impl.jar read)
该示例的前两行是一个连续行,目前这样显示只是为了便于说明。
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
grant codebase "file:user_client_installed_location" {permission
java.io.FilePermission "C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar", "read"; };
![[IBM i]](../images/iseries.gif)
grant codebase "file:user_client_installed_location" { permission
java.io.FilePermission "app_server_root/lib/mail-impl.jar", "read"; };
要确定是否添加许可权,请参阅“Java 2 安全性的访问控制异常”。
如果您更新策略文件,那么必须重新启动浏览器和所有客户机应用程序。