Add the was.policy file to applications

When Java 2 security is enabled for a WebSphere Application Server, all the applications that run on that WebSphere Application Server undergo a security check before accessing any system resource. An application might need a was.policy if it accesses resources that require more permissions than have been granted in the default app.policy file. By default, the product security reads an app.policy file that is located in each node and grants the permissions in the app.policy file to all the applications. Any additional required permissions should be added in the was.policy file. The was.policy file is only required if an application requires additional permissions.

The default policy file for all applications is specified in the app.policy file. This file is provided by the product security and is common to all applications and should not be changed. Add any new permission required for each application in the was.policy file.

The app.policy file is located in these directories:

• /QIBM/UserData/WebAS5/Base/instance/config/cells/cell/nodes/node (Base product)
• /QIBM/UserData/WebAS5/ND/instance/config/cells/cell/nodes/node (Network Deployment)

where instance is the name of your instance, cell is the cell name, and node is the name of the node. For example, /QIBM/UserData/WebAS5/ND/default/config/cells/defaultNetwork/nodes/defaultManager. For a listing of the contents of the app.policy file, see The app.policy file.

If additional permissions are required for an application or one or more modules of an application, use the was.policy file for that application. For example, specify codeBase of ${application} and add required permissions to grant additional permissions to the entire application. Similarly, use codeBase of ${webComponent} and ${ejbComponent} to grant additional permissions to all the Web modules and all the EJB modules in the application. You can assign additional permissions to each module (WAR or JAR file) as shown in the following example.

Here is an example of the was.policy file that add extra permissions for an application:

  // grant additional permissions to a WebModule
  grant codeBase " file:aWebModule.war" {
    permission java.security.SecurityPermission "printIdentity";
  };

  // grant additional permission to a EJB Module
  grant codeBase "file:aEJBModule.jar"  {
    permission java.io.FilePermission 
        "${user.install.root}${/}bin${/}DefaultDB${/}-" ."read.write,delete";   
    // where, ${user.install.root} is the system property whose
    // value is located in the install root directory.
   };

To create a was.policy file for your application, perform these steps:

1. Create a was.policy file using the Java policy tool. The tool is located in the bin subdirectory of your workstation's Java development kit or runtime environment installation. If you have installed the WebSphere workstation-based application development tools on a Windows workstation, the default location of the policy tool is C:\WebSphere\AppServer\java\jre\bin\policytool.exe

2. Add the required permissions in the was.policy file using the policy tool.

3. Place the was.policy file in the application EAR file. The was.policy file should be located under the META-INF directory of the application EAR file. Use the jar command to update the application EAR file with the was.policy file.

4. Verify that the was.policy file is inserted, and start the Application Assembly Tool (AAT).

5. Open the application EAR file.

6. Click File --> Verify. The verification process ensures that the was.policy file in the application is syntactically correct.

An application EAR file is now ready to run when Java 2 security is enabled.

Troubleshooting

Adding the was.policy file to your assembled application is required for applications to run properly when Java 2 security is enabled. If the was.policy file is not created and it does not contain required permissions, the application might not be able to access system resources.

The symptom of the missing permission problem is the application program getting the exception, java.security.AccessControlException. The missing permission is listed in the exception data, for example:

  java.security.AccessControlException: access denied
  (java.io.FilePermission /QIBM/ProdData/WebAS5/Base/java/ext/mail.jar read)

When an application program receives this exception and adding this permission is justified, add a permission to the was.policy file, for example:

  grant codeBase "file:${application}" {
    permission java.io.FilePermission 
      "/QIBM/ProdData/WebAS5/Base/java/ext/mail.jar", "read";
  };