WebSphere Application Server Network Deployment, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Configuring client.policy files

Before you begin

Java 2 security uses several policy files to determine the granted permission for each Java program. See Java 2 security policy files for the list of available policy files that are supported by WebSphere Application Server.
  • The client.policy file is a default policy file that is shared by all of the WebSphere Application Server client containers and applets on a node.
  • The union of the permissions that is contained in the java.policy file and the client.policy file are given to all of the client containers for the WebSphere Application Server and applets running on the node.
  • The client.policy file is not a configuration file that is managed by the repository and the file replication service. Changes to this file are local and do not replicate to the other machine.
  • The client.policy file that is supplied by WebSphere Application Server is located at app_server_root/profiles/profile_name/properties/client.policy.
This file contains these default permissions:

grant codeBase "file:${was.install.root}/java/ext/*" {
permission java.security.AllPermission;
};

// JDK classes
grant codeBase "file:${was.install.root}/java/ext/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/java/tools/ibmtools.jar" {
permission java.security.AllPermission;
};
grant codeBase "file:/QIBM/ProdData/Java400/jdk14/lib/tools.jar" {
permission java.security.AllPermission;
};

// WebSphere system classes
grant codeBase "file:${was.install.root}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/plugins/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/classes/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/installedConnectors/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${user.install.root}/installedConnectors/-" {
permission java.security.AllPermission;
};

grant codeBase "file:${was.install.root}/installedChannels/-" {
permission java.security.AllPermission;
};

// J2EE 1.4 permissions for client container WAS applications in $WAS_HOME/installedApps
grant codeBase "file:${user.install.root}/installedApps/-" {
//Application client permissions
permission java.awt.AWTPermission "accessClipboard";
permission java.awt.AWTPermission "accessEventQueue";
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
permission java.lang.RuntimePermission "exitVM";
permission java.lang.RuntimePermission "loadLibrary";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.net.SocketPermission "localhost:1024-", "accept,listen";
permission java.io.FilePermission "*", "read,write";
permission java.util.PropertyPermission "*", "read";

};

// J2EE 1.4 permissions for client container - expanded ear file code base
grant codeBase "file:${com.ibm.websphere.client.applicationclient.archivedir}/-" {
permission java.awt.AWTPermission "accessClipboard";
permission java.awt.AWTPermission "accessEventQueue";
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
permission java.lang.RuntimePermission "exitVM";
permission java.lang.RuntimePermission "loadLibrary";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.net.SocketPermission "localhost:1024-", "accept,listen";
permission java.io.FilePermission "*", "read,write";
permission java.util.PropertyPermission "*", "read";
};

Steps for this task

  1. If the default permissions for a client (union of the permissions defined in the java.policy file and the client.policy file) are enough, no action is required. The default client policy is picked up automatically.
  2. If a specific change is required to some of the client containers and applets on a node, modify the client.policy file with the Policy Tool. Refer to Using Policy Tool to edit policy files, to edit policy files. Changes to the client.policy file are local for the node.

Result

All of the client containers and applets on the local node are granted the updated permissions when they start.

Example

java.policyclient.policyclient.policy

java.security.AccessControlException: access denied (java.io.FilePermission
C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar read)

The previous two lines of sample code are one continuous line, but presented as such for illustrative purposes only.

When a client program receives this exception and adding this permission is justified, add a permission to the client.policy file, for example, grant codebase "file:user_client_installed_location" { permission java.io.FilePermission "C:\WebSphere\AppServer\java\jre\lib\ext\mail.ja", "read"; };.

To decide whether to add a permission, refer to Access control exception.

What to do next

Close and restart the browser. You also must restart the client application if you have one.



Related concepts
Java 2 security policy files
Access control exception

Related tasks
Migrating, coexisting, and interoperating – Security considerations
Configuring app.policy files
Configuring server.policy files
Configuring filter.policy files
Configuring java.policy files
Configuring static policy files

Task topic    

Terms of Use | Feedback

Last updated: Dec 11, 2005 4:07:15 PM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tsec_clientpolicy.html

© Copyright IBM Corporation 2002, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)