app.policy file permissions
Java 2 security uses several policy files to determine the granted permissions for each Java program. The union of the permissions that are contained in these following files is applied to the WAS enterprise application. This union determines the granted permissions.
For the list of available policy files that are supported by WAS, see the Java 2 security policy files article The app.policy file is a default policy file that is shared by all of the WAS enterprise apps. The union of the permissions that are contained in the following files is applied to the WAS enterprise application:
- Any policy file specified in the policy.url.* properties in the java.security file.
- The app.policy files, which are managed by configuration and file replication services.
- The server.policy file.
- The java.policy file.
- The application was.policy file.
- The permission spec of the ra.xml file.
- The shared library, which is the library.policy file.
Changes made in these files are replicated to other nodes in the ND cell. In WAS, applications that manipulate threads must have the appropriate thread permissions specified in the was.policy or app.policy file. Without the thread permissions specified, the application cannot manipulate threads and WAS creates a java.security.AccessControlException exception. If an administrator adds thread permissions to app.policy, the permission change requires a restart of the WebSphere Application Server. An administrator must add the following code to a was.policy or app.policy file for an application to manipulate threads:
grant codeBase "file:${application}" { permission java.lang.RuntimePermission "stopThread"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; };The Signed By and the JAAS principal keywords are not supported in app.policy. However, the Signed By keyword is supported in the following files: java.policy, server.policy, and the client.policy files. The JAAS principal keyword is supported in a JAAS policy file when it is specified by the java.security.auth.policy JVM system property. We can statically set the authorization policy files in the java.security.auth.policy property with auth.policy.url.n=URL where URL is the location of the authorization policy. If the default permissions for enterprise apps (the union of the permissions that is defined in the java.policy file, the server.policy file and app.policy) are enough; no action is required. The default app.policy file is used automatically. If a specific change is required to all of the enterprise apps in the cell, update app.policy. Syntax errors in the policy files cause start failures in the appservers. Edit these policy files carefully.
Updates to app.policy only apply to the enterprise apps on the node to which app.policy belongs.
To extract the policy file, use a command prompt to enter the following command on one line using the appropriate variable values for the environment:
(Windows)
wsadmin> set obj [$AdminConfig extract cells/mycell/node/mynode/app.policy c:\temp\test\app.policy]
Edit the extracted app.policy file with the Policy Tool.
See Use PolicyTool to edit policy files for Java 2 security. Changes to app.policy are local for the node.
To check in the policy file, use a command prompt to enter the following command on one line using the appropriate variable values for the environment:
(Windows)
wsadmin> $AdminConfig checkin cells/mycell/nodes/mynode/app.policy c:\temp\test\app.policy $obj
Several product-reserved symbols are defined to associate the permission lists to a specific type of resource.
Symbol Meaning file:${application} Permissions apply to all resources within the application file:${jars} Permissions apply to all utility JAR files within the application file:${ejbComponent} Permissions apply to enterprise bean resources within the application file:${webComponent} Permissions apply to Web resources within the application file:${connectorComponent} Permissions apply to connector resources both within the application and within standalone connector resources.
Five embedded symbols are provided to specify the path and name for the java.io.FilePermission permission. These symbols enable flexible permission specifications. The absolute file path is fixed after the installation of the application.
Symbol Meaning ${app.installed.path} Path where the application is installed ${was.module.path} Path where the module is installed ${current.cell.name} Current cell name ${current.node.name} Current node name ${current.server.name} Current server name
Tip: We cannot use the ${was.module.path} in the ${application} entry.
In the following code sample, the first two lines that are related to java.io.FilePermission permission are split into two lines for illustrative purposes only.
grant codeBase "file:${application}" { //If all of the WAS enterprise apps in a cell require permissions that are not defined as defaults in the java.policy file, the server.policy file and app.policy, then update the app.policy file. The symptom of a missing permission is the java.security.AccessControlException exception.The following are required by Java Mail permission java.io.FilePermission "${was.install.root}${/}lib${/}activation-impl.jar", "read"; permission java.io.FilePermission "${was.install.root}${/}lib${/}mail-impl.jar", "read"; }; grant codeBase "file:${jars}" { permission java.net.SocketPermission "*", "connect"; permission java.util.PropertyPermission "*", "read"; }; grant codeBase "file:${connectorComponent}" { permission java.net.SocketPermission "*", "connect"; permission java.util.PropertyPermission "*", "read"; }; grant codeBase "file:${webComponent}" { permission java.io.FilePermission "${was.module.path}${/}-", "read, write"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.util.PropertyPermission "*", "read"; }; grant codeBase "file:${ejbComponent}" { permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.util.PropertyPermission "*", "read"; };
Updates to app.policy only apply to the enterprise apps on the node to which app.policy belongs.
(Windows) The missing permission is listed in the exception data, for example,
java.security.AccessControlException: access denied (java.io.FilePermission C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar read).When a Java program receives this exception and adding this permission is justified, add a permission to the server.policy file...
(Windows)
grant codeBase "file:user_client_installed_location" { permission java.io.FilePermission "C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar", "read"; };The previous permission information lines are split for the illustration. You actually enter the permission on one line.
To decide whether to add a permission, refer to the AccessControlException topic.
Restart all WAS enterprise applications to verify the updated app.policy file takes effect.
Related tasks
Migrating, coexisting, and interoperating – Security considerations
Use PolicyTool to edit policy files for Java 2 security
Set Java 2 security policy files
Related
server.policy file permissions
client.policy file permissions
filter.policy file permissions
java.policy file permissions