Configure server.policy files
Overview
Java 2 security uses several policy files to determine the granted permission for each Java program. The server.policy file is a default policy file shared by all of the WebSphere servers on a node. The server.policy file is not a configuration file managed by the repository and the file replication service. Changes to this file are local and do not replicate to the other machine.
Step for this task
If the default permissions for a server (the union of the permissions defined in the java.policy file and the server.policy file) are enough, no action is required. The default server policy is picked up automatically. If a specific change is required to some of the server programs on a node, update the server.policy file with the Policy Tool.
Changes to the server.policy file are local for the node. Syntax errors in the policy files cause the application server to fail. Edit these policy files carefully.
Result
An updated server.policy file is applied to all the server programs on the local node. Restart the servers for the updates to take effect.
Example
If you want to add permissions to an application, use the app.policy file and was.policy. server.policyinstall_root/properties/server.policy
// Allow to use sun tools grant codeBase "file:${java.home}/../lib/tools.jar" { permission java.security.AllPermission; }; // WebSphere system classes grant codeBase "file:${was.install.root}/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${was.install.root}/classes/-" { permission java.security.AllPermission; }; // Allow the WebSphere deploy tool all permissions grant codeBase "file:${was.install.root}/deploytool/-" { permission java.security.AllPermission; };If some server programs on a node require permissions that are not defined as defaults in the server.policy file and the server.policy file, update the server.policy file. The missing permission causes the exception, java.security.AccessControlException. The missing permission is listed in the exception data, for example:
java.security.AccessControlException: access denied (java.io.FilePermission C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar read)
When a Java program receives this exception and adding this permission is justified, add a permission to the server.policy file, for example:
grant codeBase "file:<user client installed location>" { permission java.io.FilePermission "C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar", "read"; };
To decide whether to add a permission, refer to Access control exception.
What to do next
Restart all of the Java processes for the updated server.policy file to take effect.
See Also
Java 2 security policy files
Access control exception
Migrate security configurations from previous releases
Configure app.policy files
Configure client.policy files
Configure filter.policy files
Configure java.policy files
Use PolicyTool to edit policy files