Configure Java 2 policy files

The J2EE 1.3 specification has a well-defined programming model of responsibilities between the container providers and the application code. Use the Java 2 Security manager to help enforce this programming model. Certain operations are not allowed in the application code because such operations interfere with the behavior and operation of the containers. The Java 2 Security manager is used in the product to enforce responsibilities of the container and the application code.

WebSphere Application Server provides support for policy file management. There are a number of policy files in the product, which are either static or dynamic. Static policy files provide default permissions. Dynamic policy files are templates of permissions for a particular type of resource. Use relative file paths in some dynamic policy file. The absolute path is resolved when the application is deployed. For more information, see Syntax of policy files.

Dynamic policy files

These files provide the permissions for an application:

Static policy files

These files provide default permissions. If permissions are required beyond the application level, you may need to update the static policy files. Note that the static policy file is not a configuration file that is managed by the WebSphere repository and file replication service. Changes to these files are local and are not replicated to other machines.

Here are some considerations when you edit Java 2 Security policy files:

Troubleshooting

If a WebSphere Application Server enterprise application within a cell requires permissions, some of the dynamic policy files may need to be updated. The symptom of a missing permission is a java.security.AccessControlException. For more information, see AccessControlException.

The missing permission is listed in the exception data, for example:

  java.security.AccessControlException: access denied
  (java.io.FilePermission /QIBM/ProdData/WebAS5/Base/java/ext/mail.jar read)

When a Java program receives this exception and adding this permission is justified, add a permission to an adequate dynamic policy file, for example:

  grant codeBase "file:${application}" {
    permission java.io.FilePermission 
      "/QIBM/ProdData/WebAS5/Base/java/ext/mail.jar", "read";
  };