Configure the app.policy file

Java 2 Security uses several policy files to determine the granted permission for each Java program. The app.policy file is a default policy file that is shared by all of the WebSphere Application Server enterprise applications. The union of the permissions that are contained in the app.policy file, server.policy file, the application's was.policy file, and the ra.xml file are applied to the enterprise application. The app.policy files are managed by the Websphere configuration and file replication services, so changes made in these files are replicated to other nodes in a Network Deployment cell.

If the default permissions for enterprise application are enough, no action is required. If a specific change is required to all of the enterprise application in the cell, the app.policy file must be updated. Note that syntax errors in the policy files can cause the application server fail to start. Extreme care should be taken when editing these policy files.

Modify the app.policy file with policytool. For more information, see Create and edit policy files with the policy tool. The changes are local for the node.

The app.policy file that is supplied by WebSphere Application Server resides at /QIBM/UserData/WebAS5/product/instance/config/cells/cell/nodes/node/app.policy, where product is either Base or ND, instance is the name of your instance, cell is the name of your cell, and node is the name of your node.

The app.policy file contains these default permissions:

grant codeBase "file:${application}" {
  // The following are required by Java mail
  permission java.io.FilePermission
   "${was.install.root}${/}java${/}extlib${/}mail.jar", "read";
  permission java.io.FilePermission
   "${was.install.root}${/}java${/}extlib${/}activation.jar", "read";
};

grant codeBase "file:${jars}" {
  permission java.net.SocketPermission "*", "connect";
  permission java.util.PropertyPermission "*", "read";
};

grant codeBase "file:${connectorComponent}" {
  permission java.net.SocketPermission "*", "connect";
  permission java.util.PropertyPermission "*", "read";
};
grant codeBase "file:${webComponent}" {
  permission java.io.FilePermission "${was.module.path}${/}-", "read, write";
  permission java.lang.RuntimePermission "loadLibrary.*";
  permission java.lang.RuntimePermission "queuePrintJob";
  permission java.net.SocketPermission "*", "connect";
  permission java.util.PropertyPermission "*", "read";
};

grant codeBase "file:${ejbComponent}" {
 permission java.lang.RuntimePermission "queuePrintJob";
 permission java.net.SocketPermission "*", "connect";
 permission java.util.PropertyPermission "*", "read";
};

If all of the WebSphere Application Server enterprise applications within a cell require permissions that are not defined as defaults in the app.policy file, you may have to update the app.policy file, and possibly the server.policy file.

If you change the app.policy file, restart all enterprise applications to ensure that the updated app.policy file takes effect.