Configure Java 2 security

Java 2 Security is a new feature in WebSphere Application Server Version 5. It is a new programming model that is very pervasive and has a huge impact on application development. For more information, see Java 2 Security.

Java 2 Security is disabled by default, but is enabled automatically when global security is enabled. However, it is independent of J2EE role-based security, you can disable or enable it separately of global security. Java 2 Security provides an extra level of access control protection in addition to J2EE role-based authorization. It particularly addresses the protection of system resources and APIs. The Java development kit has used Java 2 Security to protect sensitive APIs (such the API to exit the Java virtual machine) and APIs that utilize resources (for example, opening files for reading and writing) since the release of Java 2.

Note: Java 2 Security only restricts Java programs that run in a Java virtual machine that has Java 2 Security enabled. It does not protect system resources if Java 2 Security is disabled, or if system resources are accessed from other programs or commands. Therefore, if you want to protect your iSeries system resources, you need to use iSeries security.

Here are some guidelines for when to use Java 2 Security:

The following is a list of recommendations to ease the effort of enabling Java 2 Security in a test or production environment:

The default permission set for applications is the recommended permission set that is defined in the J2EE 1.3 Specification. The default is declared in the app.policy policy file in addition to permissions that are defined in the Java development kit java.policy file that grant permissions to everyone. However, applications are denied permissions that are declared in the filter.policy file. Permissions that are declared in the filter.policy file are filtered out for applications during the permission check.

Define the required permissions for an application in a was.policy file and embed the was.policy file in the application EAR file in the META-INF subdirectory.

For more information about policy files, see Configure Java 2 policy files.

To enable Java 2 Security, perform these steps in the administrative console:

Java 2 Security is enabled and enforced for the servers. Java 2 Security permission is checked when a Java 2 Security protected API is called.

Tracing Java 2 Security

The WebSphere Java 2 Security Manager is enhanced to dump the Java 2 Security permissions granted to all classes on the call stack when an application is denied access to a resource (the java.security.AccessControlException exception is thrown). However, this tracing capability is disabled by default. You can enable it by specifying the server trace service with the com.ibm.ws.security.core.SecurityManager=all=enabled trace specification. When the exception is thrown, the trace dump provides hints to determine whether the application is missing permissions or the product runtime code or that third-party libraries used are not properly marked as privileged when accessing Java 2 protected resources.