Configure app.policy files

Java 2 security uses several policy files to determine the granted permissions for each Java program. See the Dynamic policy article for the list of available policy files that are supported by WebSphere Application Server. The app.policy file is a default policy file that is shared by all of the WebSphere Application Server enterprise applications. The union of the permissions that are contained in the following files is applied to the WebSphere Application Server enterprise application:

Any policy file that is specified in the policy.url.* properties in the java.security file.
The app.policy files, which are managed by configuration and file replication services.
The server.policy file.
The java.policy file.
The application was.policy file.
The permission specification of the ra.xml file.
The shared library, which is the library.policy file.

Changes made in these files are replicated to other nodes in the Network Deployment cell.

In WebSphere Application Server, applications that manipulate threads must have the appropriate thread permissions specified in the was.policy or app.policy file. Without the thread permissions specified, the application cannot manipulate threads and WebSphere Application Server creates a java.security.AccessControlException exception. If an administrator adds thread permissions to the app.policy file, the permission change requires a restart of the WebSphere Application Server. An administrator must add the following code to a was.policy or app.policy file for an application to manipulate threads:

grant codeBase "file:${application}" {
permission java.lang.RuntimePermission "stopThread";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "modifyThreadGroup";
};

Important: The Signed By and the Java Authentication and Authorization Service (JAAS) principal keywords are not supported in the app.policy file. However, the Signed By keyword is supported in the following files: java.policy, server.policy, and the client.policy files. The JAAS principal keyword is supported in a JAAS policy file when it is specified by the java.security.auth.policy Java virtual machine (JVM) system property. You can statically set the authorization policy files in the java.security.auth.policy property with auth.policy.url.n=URL where URL is the location of the authorization policy.

If the default permissions for enterprise applications (the union of the permissions that is defined in the java.policy file, the server.policy file and the app.policy file) are enough; no action is required. The default app.policy file is used automatically. If a specific change is required to all of the enterprise
applications in the cell, update the app.policy file. Syntax errors in the policy files cause start failures in the application servers. Edit these policy files carefully.

Result

The default Java 2 security policies are changed for the enterprise application.

Example

Symbol Meaning
file:${application} Permissions apply to all resources within the application
file:${jars} Permissions apply to all utility Java archive (JAR) files within the application
file:${ejbComponent} Permissions apply to enterprise bean resources within the application
file:${webComponent} Permissions apply to Web resources within the application
file:${connectorComponent} Permissions apply to connector resources both within the application and within stand-alone connector resources.

Symbol	Meaning
file:${application}	Permissions apply to all resources within the application
file:${jars}	Permissions apply to all utility Java archive (JAR) files within the application
file:${ejbComponent}	Permissions apply to enterprise bean resources within the application
file:${webComponent}	Permissions apply to Web resources within the application
file:${connectorComponent}	Permissions apply to connector resources both within the application and within stand-alone connector resources.

Five embedded symbols are provided to specify the path and name for the java.io.FilePermission permission. These symbols enable flexible permission specifications. The absolute file path is fixed after the installation of the application.

Symbol Meaning
${app.installed.path} Path where the application is installed
${was.module.path} Path where the module is installed
${current.cell.name} Current cell name
${current.node.name} Current node name
${current.server.name} Current server name

Symbol	Meaning
${app.installed.path}	Path where the application is installed
${was.module.path}	Path where the module is installed
${current.cell.name}	Current cell name
${current.node.name}	Current node name
${current.server.name}	Current server name

Tip: You cannot use the ${was.module.path} in the ${application} entry.

The app.policy file that is supplied by WebSphere Application Server resides at app_server_root/profiles/profile_nameconfig/cells/cell_name/nodes/node/app.policy, which contains the following default permissions:

Attention: In the following code sample, the first two lines that are related to java.io.FilePermission permission are split into two lines for illustrative purposes only.

grant codeBase "file:${application}" {
// The following are required by Java mail
permission java.io.FilePermission "${was.install.root}${/}java${/}
jre${/}lib${/}ext${/}mail.jar", "read";
permission java.io.FilePermission "${was.install.root}${/}java${/}
jre${/}lib${/}ext${/}activation.jar", "read";
};

grant codeBase "file:${jars}" {
permission java.net.SocketPermission "*", "connect";
permission java.util.PropertyPermission "*", "read";
};

grant codeBase "file:${connectorComponent}" {
permission java.net.SocketPermission "*", "connect";
permission java.util.PropertyPermission "*", "read";
};
grant codeBase "file:${webComponent}" {
permission java.io.FilePermission "${was.module.path}${/}-", "read, write";
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.util.PropertyPermission "*", "read";
};

grant codeBase "file:${ejbComponent}" {
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.util.PropertyPermission "*", "read";
};

If all of the WebSphere Application Server enterprise
applications in a cell require permissions that are not defined as defaults in the java.policy file, the server.policy file and the app.policy file, then update the app.policy file. The symptom of a missing permission is the java.security.AccessControlException exception. The missing permission is listed in the exception data, for example, java.security.AccessControlException: access denied (java.io.FilePermission /QIBM/ProdData/WebSphere/AppServer/V6/Base/lib/mail-impl.jar read in i5/OS).

When a Java program receives this exception and adding this permission is justified, add a permission to the server.policy file, for example:

grant codeBase "file:<user client installed location>" {
permission java.io.FilePermission
"/QIBM/ProdData/WebSphere/AppServer/V6/Base/lib/mail-impl.jar", "read"; };

To decide whether to add a permission, refer to the
AccessControlException topic.

What to do next

Restart all WebSphere Application Server enterprise applications to ensure that the updated app.policy file takes effect.

Related concepts

Java 2 security policy files

Access control exception

Searchable topic ID: tsec_apppolicy