Configure Java 2 security
Recommendations
- Verify that required permissions for the APIs used are declared was.policy.
- Verify that migrated applications from previous releases are given the required permissions. Since Java 2 security is not supported or partially supported in previous WAS releases, applications developed prior to Version 5 most likely are not using the Java 2 security programming model. There is no easy way to find out all the required permissions for the application. Following are activities you can perform to determine the extra permissions required by an application...
- Code review and code inspection
- Application documentation review
- Sandbox testing of migrated enterprise applications with Java 2 security enabled in a pre-production environment. Enable tracing in WebSphere Java 2 security manager to help determine the missing permissions in the application policy file. The trace specification is...
com.ibm.ws.security.core.SecurityManager=all=enabled- Use the com.ibm.websphere.java2secman.norethrow system property to aid debuggging. This property should not be used in a production environment. Refer to Java 2 security.
The default permission set for applications is the recommended permission set defined in the J2EE 1.3 Specification. The default is declared in...
config/cells/cellname/nodes/nodename/app.policy...policy file with permissions defined in the Development Kit...
${JAVA_HOME}/lib/security/java.policy...policy file that grant permissions to everyone. However, applications are denied permissions declared in...
config/cells/cell/filter.policyPermissions declared in the filter.policy file are filtered for applications during the permission check.
Define the required permissions for an application in a was.policy file and embed the was.policy file in the EAR file as...
appname.ear/META-INF/was.policy
Turn on Java 2 security
- Click through: "Security | Global Security"
- Enable Java 2 security by selecting the check box labeled Enforce Java 2 Security (clear the check box for disabling Java 2 Security).
- Click OK or Apply, and then Save
- Restart the server for the changes to take effect.
Java 2 security is enabled and enforced for the servers. Java 2 security permission is selected when a Java 2 security protected API is called.
When to use Java 2 security.
- To enable protection on system resources. For example, when opening or listening to a socket connection, reading or writing to operating system file systems, reading or writing Java Virtual Machine system properties, and so on.
- To prevent application code calling destructive APIs. For example, calling the System.exit() method brings down the appserver.
- To prevent application code from obtaining privileged information (passwords) or gaining extra privileges (obtaining server credentials).
The WebSphere Java 2 security manager can dump the Java 2 security permissions granted to all classes on the call stack when an application is denied access to a resource. To enable this feature, set the server trace service using...
com.ibm.ws.security.core.SecurityManager=all=enabledWhen the exception is thrown, the dump provides hints to determine whether the application is missing permissions or the product run time code or third party libraries used are not properly marked as privileged when accessing Java 2 protected resources.