Server-level security settings

Use this page to enable server level security and specify other server level security configurations.

To view this administrative console page, complete the following steps:

  1. Click Servers > Application Servers > servername.

  2. Under Security, click Server security.

  3. Under Additional properties, click Server-level security.

Enforce fine-grained JCA security

Enable this option to restrict application access to sensitive Java Connector Architecture (JCA) mapping authentication data.

Default Disabled


Configuration tab

Enable global security

Use this flag to disable or enable security again for this application server while global security is enabled. Server security is enabled by default when global security is enabled. You cannot enable security on an application server while global security is disabled. Administrative (administrative console and wsadmin) and naming security remain enabled while global security is enabled, regardless of the status of this flag.

Default Disable

Enforce Java 2 security

Specifies that the server enforces Java 2 Security permission checking at the server level. When cleared, the Java 2 server-level security manager is not installed and all of the Java 2 Security permission checking is disabled at the server level.

If your application policy file is not set up correctly, see the documentation on configuring an application policy in a was.policy file.

Default Disabled

Use domain qualified user IDs

Specifies whether user IDs returned by getUserPrincipal()-like calls are qualified with the server level security domain within which they reside.

Default Disabled

Cache timeout

Specifies the timeout value for server level security cache in seconds.

Data type Integer
Units Seconds
Default 600
Range Greater than 30 seconds. Avoid setting cache timeout value to 30 seconds or less.

Issue permission warning

Specifies whether a warning is issued during application installation when an application requires a Java 2 permission that is normally not granted to an application.

WebSphere Application Server provides support for policy file management. A number of policy files are included in WebSphere Application Server. Some of these policy files are static and some of them are dynamic. Dynamic policy is a template of permissions for a particular type of resource. In dynamic policy files, the code bases are evaluated at run time using configuration data. You can add or remove permissions, as needed, for each code base. However, do not add, remove, or modify the existing code bases. The real code base is dynamically created from the configuration and run-time data. The filter.policy file contains a list of permissions that an application does not have, according to the J2EE 1.3 Specification. For more information on permissions, see the documentation on the Java 2 security policy files.

Default Enabled

Active protocol

Specifies the active server level security authentication protocol when server level security is enabled.

Use an Object Management Group (OMG) protocol called Common Secure Interoperability V2 (CSIv2) for more vendor interoperability and additional features. If all of the servers in your entire security domain are Version 5.0 servers, it is best to specify CSI as your protocol.

If some servers are V3.x or V4.x servers, it is best to specify CSI and SAS. However, by specifying CSI and SAS, you now have two interceptors invoking each request.

Data type String
Default CSI and SAS
Range CSI, CSI and SAS




WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.