Configure client.policy files

 

Configure client.policy files

Java 2 security uses several policy files to determine the granted permission for each Java program. See Java 2 security policy files for the list of available policy files supported by WebSphere Application Server. The client.policy file is a default policy file shared by all of the WebSphere Application Server client containers and applets on a node. The union of the permissions contained in the java.policy file and the client.policy file are given to all of the WebSphere client containers and applets running on the node. The client.policy file is not a configuration file managed by the repository and the file replication service. Changes to this file are local and do not replicate to the other machine. The client.policy file supplied by WebSphere Application Server is located at profile_root/properties/client.policy. It contains these default permissions:

grant codeBase "file:${java.home}/lib/ext/*" {
permission java.security.AllPermission;
};
// IBM Developer Kit, Java Technology Edition classes
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/../lib/tools.jar" {
permission java.security.AllPermission;
};
// WebSphere system classes
grant codeBase "file:${was.install.root}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/classes/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${was.install.root}/installedConnectors/-" {
permission java.security.AllPermission;
};
// J2EE 1.3 permissions for client container WAS applications
// in $WAS_HOME/installedApps
grant codeBase "file:${was.install.root}/installedApps/-" {
//Application client permissions
permission java.awt.AWTPermission "accessClipboard";
permission java.awt.AWTPermission "accessEventQueue";
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
permission java.lang.RuntimePermission "exitVM";
permission java.lang.RuntimePermission "loadLibrary";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.net.SocketPermission "localhost:1024-", "accept,listen";
permission java.io.FilePermission "*", "read,write";
permission java.util.PropertyPermission "*", "read";
};
// J2EE 1.3 permissions for client container - expanded ear file code base
grant codeBase "file:${com.ibm.websphere.client.applicationclient.archivedir}/-"
{
permission java.awt.AWTPermission "accessClipboard";
permission java.awt.AWTPermission "accessEventQueue";
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
permission java.lang.RuntimePermission "exitVM";
permission java.lang.RuntimePermission "loadLibrary";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.net.SocketPermission "localhost:1024-", "accept,listen";
permission java.io.FilePermission "*", "read,write";
permission java.util.PropertyPermission "*", "read";
};
// For MQ Series
grant codeBase "file:${mq.install.root}/java/*" {
permission java.security.AllPermission;
};

  1. If the default permissions for a client (union of the permissions defined in the java.policy file and the client.policy file) are enough, no action is required. The default client policy is picked up automatically.

  2. If a specific change is required to some of the client containers and applets on a node, modify the client.policy file with the policy tool. Refer to Using PolicyTool to edit policy files, to edit policy files. Changes to the client.policy file are local for the node.

ResultAll of the client containers and applets on the local node are granted the updated permissions at the time of execution.

Examplejava.policyclient.policyclient.policy

java.security.AccessControlException: access denied (java.io.FilePermission
/QIBM/ProdData/WebSphere/AppServer/V6/Base/lib/mail-impl.jar read)

The previous two lines of sample code are one continuous line, but extended beyond the width of the page.

When a client program receives this exception and adding this permission is justified, add a permission to the client.policy file, for example, grant codebase "file:user_client_installed_location" { permission java.io.FilePermission "/QIBM/ProdData/WebSphere/AppServer/V6/Base/lib/mail-impl.jar", "read"; };.

To decide whether to add a permission, refer to Access control exception.

 

What to do next

Close and restart the browser. You also must restart the client application if you have one.

Related concepts
Java 2 security policy files
Access control exception

Related tasks
Migrating security configurations from previous releases
Configuring app.policy files
Configuring server.policy files
Configuring filter.policy files
Configuring java.policy files


Searchable topic ID: tsec_clientpolicy