WebSphere Application Server Network Deployment, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Configuring spi.policy files

Why and when to perform this task

Java 2 security uses several policy files to determine the granted permission for each Java program. See Java 2 security policy files for the list of available policy files that are supported by WebSphere Application Server Version 6.0.x.

Because the default permission for the Service Provider Interface (SPI) is the AllPermission permission, the only reason to update the spi.policy file is a restricted SPI permission. When a change in the spi.policy is required, complete the following steps.

Syntax errors in the policy files cause the application server to fail. Edit these policy files carefully.

Important: Do not place the codebase keyword or any other keyword after the filterMask and runtimeFilterMask keywords. The Signed By and the Java Authentication and Authorization Service (JAAS) Principal keywords are not supported in the spi.policy file. The Signed By keyword is supported in the java.policy, server.policy, and client.policy policy files. The JAAS Principal keyword is supported in a JAAS policy file that is specified by the java.security.auth.policy Java virtual machine (JVM) system property. You can statically set the authorization policy files in java.security.auth.policy with auth.policy.url.n=URL, where URL is the location of the authorization policy.

Steps for this task

  1. Extract the policy file. From the command prompt, enter wsadmin> set obj [$AdminConfig extract profiles/profile_name/cells/cell_name/nodes/node_name/spi.policy c:/temp/test/spi.policy]
  2. Edit the file using the Policy Tool. For more information, see Using Policy Tool to edit policy files.
  3. Check in the policy file. From the command prompt, enter wsadmin> $AdminConfig checkin profiles/profile_name/cells/cell_name/nodes/node_name/spi.policy c:/temp/test/spi.policy $obj.

Result

The updated spi.policy is applied to the Service Provider Interface (SPI) libraries after the Java process is restarted.

Example

spi.policyresources.xmlspi.policyresources.xmljava.policyspi.policyspi.policy
You can find the spi.policy file that is supplied by WebSphere Application Server in the following location: app_server_root/profiles/profile_name/config/cells/cell_name/nodes/node_name/spi.policy. This file contains the following default permission:

grant {
permission java.security.AllPermission;
};

What to do next

Restart the related Java processes for the changes in the spi.policy file to become effective.



Related concepts
Java 2 security policy files

Related tasks
Configuring the was.policy file
Configuring server.policy files
Configuring java.policy files
Using Policy Tool to edit policy files
Adding the was.policy file to applications
Configuring Java 2 security policy files

Task topic    

Terms of Use | Feedback

Last updated: Dec 11, 2005 4:07:15 PM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tsec_spipolicy.html

© Copyright IBM Corporation 2002, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)