Configure library.policy files

Java 2 security uses several policy files to determine the granted permission for each Java programs. See Dynamic policy for the list of available policy files supported by WebSphere Application Server Version 5. The library.policy file is the template for shared libraries (Java library classes). Multiple enterprise applications can define and use shared libraries. Refer to Managing shared libraries for information on how to define and manage the shared libraries.

If the default permissions for a shared library (union of the permissions defined in the java.policy file, the app.policy file and the library.policy file) are enough, no action is required. The default library policy is picked up automatically. If a specific change is required to share a library in the cell, update the library.policy file.

Syntax errors in the policy files cause the appserver to fail. Edit these policy files carefully.

Note that Do not place the codebase keyword or any other keyword after the grant keyword. The Signed By keyword and the JAAS Principal keyword are not supported in the library.policy file. The Signed By keyword is supported in the following policy files: java.policy, server.policy, and client.policy. The JAAS Principal keyword is supported in a JAAS policy file when it is specified by the JVM system property, You can statically set the authorization policy files in with auth.policy.url.n=URL where URL is the location of the authorization policy.

  1. Modify the library.policy file with the Policy Tool.

An updated library.policy is applied to shared libraries after the servers restart.


Usage Scenario


The library.policy file supplied by WAS resides at: $WAS_HOME/config/cells/cell/nodes/node/library.policy, contains an empty permission entry as a default. For example,

 grant {

If the shared library in a cell requires permissions that are not defined as defaults in the java.policy file, app.policy file and the library.policy file, update the library.policy file. The missing permission causes the exception, The missing permission is listed in the exception data... access denied
C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar read)

The previous lines are one continuous line.

When a Java program receives this exception and adding this permission is justified, add a permission to the library.policy file, for example: grant codeBase "file:<user client installed location>" { permission "C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar", "read"; };

to decide whether to add a permission, refer to AccessControlException.

Restart the related Java processes for the changes in the library.policy file to become effective.