Configure java.policy files

 

+

Search Tips   |   Advanced Search

 

 

Overview

Java 2 security uses several policy files to determine the granted permission for each Java program. The java.policy file is a global default policy file shared by all of the Java programs running in the JVM on the node. Modifying this file is not recommended.

 

Step for this task

If a specific change is required to some of the Java programs on a node and the java.policy file requires updating, modify the java.policy file with policy tool.

A change to the java.policy file is local for the node. The default Java policy is picked up automatically. Syntax errors in the policy files cause the application server to fail. Edit these policy files carefully.

 

Result

An updated java.policy file is applied to all the Java programs running in all the JVMs on the local node. Restart the programs for the updates to take effect

 

Sample java.policy

// install_root/java/jre/lib/security/java.policy
//  
// Standard extensions get all permissions by default
//  

grant codeBase "file:${java.home}/lib/ext/*" 
{
        permission java.security.AllPermission;
};


// default permissions granted to all domains

grant 
{

        // Allows any thread to stop itself using the java.lang.Thread.stop()
        // method that takes no argument.
        //
        // Note that  this permission is granted by default only to remain
        // backwards compatible.
        //
        // It is strongly recommended that you either remove this permission
        // from this policy file or further restrict it to code sources
        // that you specify, because Thread.stop() is potentially unsafe.
        //
        // See "http://java.sun.com/notes" for more information.
        // permission java.lang.RuntimePermission "stopThread";
        //

        // Allow anyone to listen on un-privileged ports
        permission java.net.SocketPermission "localhost:1024-", "listen";


        // "standard" properties that can be read by anyone
        permission java.util.PropertyPermission "java.version", "read";
        permission java.util.PropertyPermission "java.vendor", "read";
        permission java.util.PropertyPermission "java.vendor.url", "read";
        permission java.util.PropertyPermission "java.class.version", "read";
        permission java.util.PropertyPermission "os.name", "read";
        permission java.util.PropertyPermission "os.version", "read";
        permission java.util.PropertyPermission "os.arch", "read";
        permission java.util.PropertyPermission "file.separator", "read";
        permission java.util.PropertyPermission "path.separator", "read";
        permission java.util.PropertyPermission "line.separator", "read";

        permission java.util.PropertyPermission "java.specification.version", "read";
        permission java.util.PropertyPermission "java.specification.vendor", "read";
        permission java.util.PropertyPermission "java.specification.name", "read";

        permission java.util.PropertyPermission "java.vm.specification.version","read";
        permission java.util.PropertyPermission "java.vm.specification.vendor","read";
        permission java.util.PropertyPermission "java.vm.specification.name", "read";
        permission java.util.PropertyPermission "java.vm.version", "read";
        permission java.util.PropertyPermission "java.vm.vendor", "read";
        permission java.util.PropertyPermission "java.vm.name", "read";
       };

If some Java programs on a node require permissions that are not defined as defaults in the java.policy file, then consider updating the java.policy file. Most of the time, other policy files are updated instead of the java.policy file. The missing permission causes the exception, java.security.AccessControlException. The missing permission is listed in the exception data, for example:

java.security.AccessControlException: access denied (java.io.FilePermission C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar read)

When a Java program receives this exception and adding this permission is justified, add a permission to the java.policyfile, for example:

grant codeBase "file:<user client installed location>" 
{   


permission java.io.FilePermission 


"C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar", "read"; };

To decide whether to add a permission, refer to Access control exception.

 

What to do next

Restart all of the Java processes for the updated java.policy file to take effect.

---

 

See Also

Java 2 security policy files
Access control exception

 

Related Tasks

Migrating security configurations from previous releases
Configuring app.policy files
Configuring server.policy files
Configuring client.policy files
Configuring filter.policy files
Using PolicyTool to edit policy files

 

---