Add the was.policy file to applications

When Java 2 security is enabled for a WAS, all the applications that run on that WAS undergo a security check before accessing system resources. An application might need a was.policy file if it accesses resources that require more permissions than those granted in the default app.policy file. By default, the product security reads an app.policy file that is located in each node and grants the permissions in the app.policy file to all the applications. Include any additional required permissions in the was.policy file. The was.policy file is only required if an application requires additional permissions.

The default policy file for all applications is specified in the app.policy file. This file is provided by the product security, is common to all applications, and should not be changed. Add any new permissions required for an application in the was.policy file.

The app.policy file is located in the $WAS_HOME/config/cells/cell/nodes/node directory. The contents of the app.policy file follow...

Note that In the following code sample, the two permissions that are required by JavaMail were split into two lines each due to the width of the printed page.

// The following permissions apply to all the components under the application.
grant codeBase "file:${application}" {
  // The following are required by JavaMail
  permission java.io.FilePermission "
       ${was.install.root}${/}java${/}jre${/}lib${/}ext${/}mail.jar", "read";
  permission java.io.FilePermission "
       ${was.install.root}${/}java${/}jre${/}lib${/}ext${/}activation.jar", "read";
};

  // The following permissions apply to all utility .jar files  (other 
  //  than enterprise beans JAR files) in the application.
grant codeBase "file:${jars}" {
  permission java.net.SocketPermission "*", "connect";
  permission java.util.PropertyPermission "*", "read";
};

// The following permissions apply to connector resources within the application
grant codeBase "file:${connectorComponent}" {
  permission java.net.SocketPermission "*", "connect";
  permission java.util.PropertyPermission "*", "read";
};

// The following permissions apply to all the Web modules (.war files) 
// within the application.
grant codeBase "file:${webComponent}" {
  permission java.io.FilePermission "${was.module.path}${/}-", "read, write";  
       //  where "was.module.path" is the path where the Web module is 
       //  installed. Refer to Dynamic policy concepts for other symbols.
  permission java.lang.RuntimePermission "loadLibrary.*";
  permission java.lang.RuntimePermission "queuePrintJob";
  permission java.net.SocketPermission "*", "connect";
  permission java.util.PropertyPermission "*", "read";
};


// The following permissions apply to all the EJB modules within the application.
grant codeBase "file:${ejbComponent}" {
 permission java.lang.RuntimePermission "queuePrintJob";
 permission java.net.SocketPermission "*", "connect";
 permission java.util.PropertyPermission "*", "read";
};

If additional permissions are required for an application or for one or more modules of an application, use the was.policy file for that application. For example, use codeBase of ${application} and add required permissions to grant additional permissions to the entire application. Similarly, use codeBase of ${webComponent} and ${ejbComponent} to grant additional permissions to all the Web modules and all the enterprise bean (EJB) modules in the application. Assign additional permissions to each module (.war file or .jar file) as shown in the following example.

An example of adding extra permissions for an application in the was.policy file...

Note that In the following code sample, the permission for the EJB module was split into two lines due to the width of the printed page.

// grant additional permissions to a Web module
grant codeBase " file:aWebModule.war" {
 permission java.security.SecurityPermission "printIdentity";
};

// grant additional permission to an EJB module
grant codeBase "file:aEJBModule.jar"  {
    permission java.io.FilePermission "
       ${user.install.root}${/}bin${/}DefaultDB${/}-" ."read.write,delete";   
    // where, ${user.install.root} is the system property whose value is 
    // located in the $WAS_HOME directory.
 };

  1. Create a was.policy file using the policy tool located in the /java/jre/bin directory.

  2. Add the required permissions in the was.policy file using the policy tool.

  3. Place the was.policy file in the application enterprise archive (EAR) file under the META-INF directory. Update the application EAR file with the newly created was.policy file by using the jar command.

  4. Verify that the was.policy file is inserted, and start the .

    1. Verify that the was.policy file in the application is syntactically correct.

An application EAR file is now ready to run when Java 2 security is enabled.

 

Usage Scenario

This step is required for applications to run properly when Java 2 security is enabled. If the was.policy file is not created and it does not contain required permissions, the application might not access system resources.

The symptom of the missing permissions is the exception, java.security.AccessControlException. The missing permission is listed in the exception data, for example:

java.security.AccessControlException: access denied  java.io.FilePermission(
C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar read)

The previous two lines are one continuous line.

When an application program receives this exception and adding this permission is justified, include the permission in the was.policy file, for example,

grant codeBase "file:${application}" { permission java.io.FilePermission 
"C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar", "read"; };

The previous two lines are one continuous line.

Install the application.

 

See Also

Java 2 Connector security
Java 2 security policy files
Security: Resources for learning