app.policy file permissions
Java™ 2 security uses several policy files to determine the granted permissions for each Java program. The union of the permissions that are contained in these following files is applied to the WebSphere® Application Server enterprise application. This union determines the granted permissions.
- Any policy file that is specified in the policy.url.* properties in the java.security file.
- The app.policy files, which are managed by configuration and file replication services.
- The server.policy file.
- The java.policy file.
- The application was.policy file.
- The permission specification of the ra.xml file.
- The shared library, which is the library.policy file.
Changes made in these files are replicated to other nodes in the WebSphere Application Server Network Deployment cell.
grant codeBase "file:${application}" {
permission java.lang.RuntimePermission "stopThread";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "modifyThreadGroup";
};
To extract the policy file, use a command prompt to enter the following command on one line using the appropriate variable values for your environment:
wsadmin> set obj [$AdminConfig extract cells/cell_name/node/node_name/app.policy c:\temp\test\app.policy]
wsadmin> set obj [$AdminConfig extract cells/cell_name/node/node_name/app.policy /temp/test/app.policy]
Edit the extracted app.policy file with the Policy Tool. For more information, see Using PolicyTool to edit policy files for Java 2 security. Changes to the app.policy file are local for the node.
To check in the policy file, use a command prompt to enter the following command on one line using the appropriate variable values for your environment:
wsadmin> $AdminConfig checkin cells/cell_name/nodes/node_name/app.policy c:\temp\test\app.policy $obj
wsadmin> $AdminConfig checkin cells/cell_name/nodes/node_name/app.policy temp/test/app.policy $obj
Symbol | Meaning |
---|---|
file:${application} | Permissions apply to all resources within the application |
file:${jars} | Permissions apply to all utility Java archive (JAR) files within the application |
file:${ejbComponent} | Permissions apply to enterprise bean resources within the application |
file:${webComponent} | Permissions apply to web resources within the application |
file:${connectorComponent} | Permissions apply to connector resources both within the application and within stand-alone connector resources. |
Symbol | Meaning |
---|---|
${app.installed.path} | Path where the application is installed |
${was.module.path} | Path where the module is installed |
${current.cell.name} | Current cell name |
${current.node.name} | Current node name |
${current.server.name} | Current server name |
${was.module.path}
in
the ${application}
entry.The app.policy file supplied by WebSphere Application Server is located in the profile_root/config/cells/cell_name/nodes/node_name/app.policy, which contains the following default permissions:
grant codeBase "file:${application}" {
// The following are required by JavaMail
permission java.io.FilePermission "${was.install.root}${/}lib${/}activation-impl.jar", "read";
permission java.io.FilePermission "${was.install.root}${/}lib${/}mail-impl.jar", "read";
};
grant codeBase "file:${jars}" {
permission java.net.SocketPermission "*", "connect";
permission java.util.PropertyPermission "*", "read";
};
grant codeBase "file:${connectorComponent}" {
permission java.net.SocketPermission "*", "connect";
permission java.util.PropertyPermission "*", "read";
};
grant codeBase "file:${webComponent}" {
permission java.io.FilePermission "${was.module.path}${/}-", "read, write";
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.util.PropertyPermission "*", "read";
};
grant codeBase "file:${ejbComponent}" {
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.util.PropertyPermission "*", "read";
};
java.security.AccessControlException: access denied
(java.io.FilePermission
C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar read)
When a Java program receives this exception and adding this permission is justified, add a permission to the server.policy file, for example:
grant codeBase "file:user_client_installed_location" {
permission java.io.FilePermission
"C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar", "read";
};
grant codeBase "file:user_client_installed_location" {
permission java.io.FilePermission
"${was.install.root}$(/)java$(/)jre$(/)lib$(/)ext$(/)mail.jar", "read";
};
The previous permission information lines are split for the illustration. You actually enter the permission on one line.
To decide whether to add a permission, refer to the AccessControlException topic.
Restart all WebSphere Application Server enterprise applications to ensure that the updated app.policy file takes effect.