Configure spi.policy files

 

Overview

Java 2 security uses several policy files to determine the granted permission for each Java program. See Java 2 security policy files for the list of available policy files supported by WebSphere Application Server v6.x.

Since the default permissions for Service Provider Interface (SPI) is AllPermission, the only reason to update the spi.policy file is a restricted SPI permission. When a change in the spi.policy is required, complete the following steps.

Syntax errors in the policy files cause the application server to fail. Edit these policy files carefully.

Important: Do not place the codebase keyword or any other keyword after the filterMask and runtimeFilterMask keywords. The Signed By and the Java Authentication and Authorization Service (JAAS) Principal keywords are not supported in the spi.policy file. The Signed By keyword is supported in the following policy files: java.policy, server.policy, and client.policy. The JAAS Principal keyword is supported in a JAAS policy file that is specified by the Java Virtual Machine (JVM) system property, java.security.auth.policy. We can statically set the authorization policy files in java.security.auth.policy with auth.policy.url.n=URL where URL is the location of the authorization policy.

 

Procedure

  1. Extract the policy file.

    1. From the command prompt, enter wsadmin> set obj [$AdminConfig extract profiles/profile/cells/cell/nodes/node/spi.policy c:/temp/test/spi.policy]

  2. Edit the extracted spi.policy with the Policy Tool.

  3. Check in the policy file.

    1. Enter the following from a command prompt wsadmin> $AdminConfig checkin profiles/profile/cells/cell/nodes/node/spi.policy c:/temp/test/spi.policy $obj.

 

Result

The updated spi.policy is applied to the SPI libraries after the Java process is restarted.

 

Examplespi.policyresources.xmlspi.policyresources.xmljava.policyspi.policyspi.policy

The spi.policy file

supplied by WAS resides at install_root/profiles/profile/config/cells/cell/nodes/node/spi.policy. It contains the following default permission:

grant {
permission java.security.AllPermission;
};

 

What to do next

Restart the related Java processes for the changes in the spi.policy file to become effective.

 

See Also


Java 2 security policy files

 

Related Tasks


Configuring the was.policy file
Configuring server.policy files
Configuring java.policy files
Using PolicyTool to edit policy files
Adding the was.policy file to applications