Before you begin
Java 2 security uses several policy files to determine the granted permission for each Java program. See Java 2 security policy files for the list of available policy files that are supported by WebSphere Application Server Version 6.0.x. The was.policy file is an application-specific policy file for WebSphere Application Server enterprise applications. This file is embedded in the META-INF/was.policy enterprise archive (EAR) file. The was.policy file is located in:profile_root/config/cells/cell_name/applications/ ear_file_name/deployments/application_name/META-INF/was.policy
Changes made in these files are replicated to other nodes in the cell.
Symbol | Definition |
---|---|
file:${application} | file:${application} |
file:${jars} | Permissions apply to all utility Java archive (JAR) files within the application |
file:${ejbComponent} | Permissions apply to enterprise bean resources within the application |
file:${webComponent} | Permissions apply to Web resources within the application |
file:${connectorComponent} | Permissions apply to connector resources within the application |
grant codeBase "file:${application}" { permission java.lang.RuntimePermission "stopThread"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; };An administrator can add the thread permissions to the app.policy file, but the permission change requires a restart of WebSphere Application Server.
"file:DefaultWebApplication.war" { permission java.security.SecurityPermission "printIdentity"; }; grant codeBase "file:IncCMP11.jar" { permission java.io.FilePermission "${user.install.root}${/}bin${/}DefaultDB${/}-", "read,write,delete"; };
Symbol | Definition |
---|---|
${app.installed.path} | Path where the application is installed |
${was.module.path} | Path where the module is installed |
${current.cell.name} | Current cell name |
${current.node.name} | Current node name |
${current.server.name} | Current server name |
Why and when to perform this task
If the default permissions for the enterprise application are enough, an action is not required. The default permissions are a union of the permissions that are defined in the java.policy file, the server.policy file, and the app.policy file. If an application has specific resources to access, update the was.policy file. The first two steps assume that you are creating a new policy file.Steps for this task
For more information, see Adding the was.policy file to applications.
The following instructions describe how to import a was.policy file.Result
The updated was.policy file is applied to the application after the application restarts.Example
java.security.AccessControlException: access denied (java.io.FilePermission app_server_root/lib/mail-impl.jar read)
The previous example was split onto several lines for illustrative purposes only.
grant codeBase "file:user_client_installed_location" { permission java.io.FilePermission "app_server_root/lib/mail-impl.jar", "read"; };
The previous example was split onto several lines for illustrative purposes only.
To determine whether to add a permission, see Access control exception.
What to do next
Restart all applications for the updated app.policy file to take effect.Related concepts
Access control exception
Java 2 security policy files
Related tasks
Migrating, coexisting, and interoperating – Security considerations
Configuring spi.policy files
Configuring library.policy files
Adding the was.policy file to applications
Importing enterprise applications
Configuring Java 2 security policy files