Java 2 security policy files

Java 2 security policy files

The J2EE V1.3 and later specifications have a well-defined programming model of responsibilities between the container providers and the application code. Using Java 2 security manager to help enforce this programming model is recommended. Certain operations are not supported in the application code because such operations interfere with the behavior and operation of the containers. The Java 2 security manager is used in the product to enforce responsibilities of the container and the application code.
This product provides support for policy file management. A number of policy files in the product are either static or dynamic. Dynamic policy is a template of permissions for a particular type of resource. No relative code base is defined in the dynamic policy template. The code base is dynamically calculated from the deployment and run-time data.

Static policy files

Policy file Location

java.policy
app_server_root/java/jre/lib/security/java.policy. Default permissions are granted to all classes. The policy of this file applies to all the processes launched by WebSphere Application Server.
server.policy profile_root/properties/server.policy. Default permissions are granted to all the product servers.
client.policy profile_root/properties/client.policy. Default permissions are granted for all of the product client containers and applets on a node.
The static policy files are not managed by configuration and file replication services. Changes made in these files are local and are not replicated to other nodes in the Network Deployment cell.

Dynamic policy files

Policy file Location

spi.policy
profile_root/config/cells/cell
/nodes/node/spi.policy
This template is for the Service Provider Interface (SPI) or the third-party resources that are embedded in the product. Examples of SPI are the Java Message Service (JMS) in MQ Series and Java database connectivity (JDBC) drivers. The code base for the embedded resources are dynamically determined from the configuration (resources.xml file) and run-time data, and permissions that are defined in the spi.policy files are automatically applied to these resources and JAR files that are specified in the class path of a resource adapter. The default permission of the spi.policy file is java.security.AllPermissions.
library.policy
profile_root/config/cells/cell/nodes
/node/library.policy
This template is for the library (Java library classes). We can define a shared library to use in multiple product applications. The default permission of the library.policy file is empty.
app.policy
profile_root/config/cells/cell
/nodes/node/app.policy
The app.policy file defines the default permissions that are granted to all of the enterprise applications running on node in cell.
was.policy
profile_root/config/cells/cell
/applications/ear_file_name/deployments/
appname/META-INF/was.policy
This template is for application-specific permissions. The was.policy file is embedded in the EAR file.
ra.xml rar_file_name/META-INF/was.policy.RAR.
This file can have a permission specification that is defined in the ra.xml file. The ra.xml file is embedded in the RAR file.
Grant entries that are specified in the app.policy and was.policy files must have a code base defined. If grant entries are specified without a code base, the policy files are not loaded properly and the application can fail. If the intent is to grant the permissions to all applications, use file:${application} as a code base in the grant entry.

Syntax of the policy file

A policy file contains several policy entries. The following example depicts each policy entry format
grant [codebase <Codebase>] {
permission <Permission>;
 permission <Permission>;
permission <Permission>;
};

<CodeBase>:   A URL.
      For example,  "file:${java.home}/lib/tools.jar"
            When [codebase <Codebase>] is not specified, listed 
               permissions are applied to everything.
            If URL ends with a JAR file name,  only the classes in the 
               JAR file belong to the codebase.
               If URL ends with "/", only the class files in the specified
               directory belong to the codebase.
               If URL ends with "*", all JAR and class files in the specified
               directory belong to the codebase.
               If URL ends with "-", all JAR and class files in the specified 
               directory and its subdirectories belong to the codebase.
<Permissions>: Consists from
              Permission Type    : class name of the permission
               Target Name        : name specifying the target
               Actions            : actions allowed on target
      For example,
            java.io.FilePermission "/tmp/xxx", "read,write"
Refer to developer kit specifications for the details of each permission.

Syntax of dynamic policy
We can define permissions for specific types of resources in dynamic policy files for an enterprise application. This action is achieved by using product-reserved symbols. The reserved symbol scope depends on where it is defined. If you define the permissions in app.policy, the symbol applies to all the resources on all of the enterprise applications that run on node. If you define the permissions in the META-INF/was.policy file, the symbol applies only to the specific enterprise application. Valid symbols for the code base are listed in the following table:

Symbol Meaning

file:${application} Permissions apply to all the resources within the application
file:${jars} Permissions apply to all the utility Java archive (JAR) files within the application
file:${ejbComponent} Permissions apply to the Enterprise JavaBeans (EJB) resources within the application
file:${webComponent} Permissions apply to the Web resources within the application
file:${connectorComponent} Permissions apply to the connector resources within the application
We can specify the module name for a granular setting, except for these entries that are specified by the code base symbols. For example
grant codeBase "file:DefaultWebApplication.war" {
   permission java.security.SecurityPermission "printIdentity";
 };

grant codeBase "file:IncCMP11.jar" {
permission java.io.FilePermission 
"${user.install.root}${/}bin${/}DefaultDB${/}-", 
"read,write,delete";
};
The sixth and seventh lines in the previous code sample are one continuous line. Use a relative code base only in the META-INF/was.policy file. Several product-reserved symbols are defined to associate the permission lists to a specific type of resources.

Symbol Meaning

file:${application} Permissions apply to all the resources within the application
file:${jars} Permissions apply to all the utility JAR files within the application
file:${ejbComponent} Permissions apply to the enterprise beans resources within the application
file:${webComponent} Permissions apply to the Web resources within the application
file:${connectorComponent} Permissions apply to the connector resources both within the application and in the standalone connector resources.
Five embedded symbols are provided to specify the path and the name for the java.io.FilePermission permission. These symbols enable flexible permission specification. The absolute file path is fixed after the installation of the application.

Symbol Meaning

${app.installed.path} Path where the application is installed
${was.module.path} Path where the module is installed
${current.cell.name} Current cell name
${current.node.name} Current node name
${current.server.name} Current server name
Attention: Do not use the ${was.module.path} in the ${application} entry.
Carefully determine where to add a new permission. An incorrectly specified permission causes an AccessControlException exception. Because dynamic policy resolves the code base at runtime, determining which policy file has a problem is difficult. Add a permission only to the necessary resources. For example, use ${ejbcomponent}, and etc instead of ${application}, and update the was.policy file instead of app.policy, if possible.

Static policy filtering

Limited static policy filtering support exists. If app.policy and the was.policy file have permissions that are defined in the filter.policy file with thefilterMask keyword, the runtime removes the permissions from the applications and an audit message is logged. However, if the permissions that are defined in the app.policy and the was.policy files are compound permissions, for example, java.security.AllPermission, the permission is not removed, but a warning message is written to the log file. The policy filtering only supports Developer Kit permissions; the permissions package name begins with java or javax.
Run-time policy filtering support is provided to force stricter filtering. If app.policy and the was.policy file have permissions that are defined in the filter.policy file with the runtimeFilterMask keyword, the runtime removes the permissions from the applications no matter what permissions are granted to the application. For example, even if a was.policy file has the java.security.AllPermission permission granted to one of its modules, specified permissions such as the runtimeFilterMask permission are removed from the granted permission during runtime.
If the Issue Permission Warning option in the Global Security panel is enabled and if app.policy and the was.policy file contain custom permissions (non-Developer Kit permissions, where the permissions package name begins with java or javax), a warning message logs. The permission is not removed. If the AllPermission permission is listed in app.policy and the was.policy file, a warning message logs.

Policy file editing

Using the policy tool that is provided by the Developer Kit (app_server_root/java/jre/bin/policytool), to edit the previous policy files is recommended. For Network Deployment, extract the policy files from the repository before editing. After the policy file is extracted, use the policy tool to edit the file. Check the modified policy files into the repository and synchronize them with other nodes.
If syntax errors exist in the policy files, the enterprise application or the server process might fail to start. Be cautious when editing these policy files. For example, if a policy has a trailing space in the policy permission target name, the policy fails to parse the permission properly in the IBM Developer Kit, Java Technology Edition V1.4.2. In the following example, note the space before the last quote: * \"*\" "
grant {
    permission javax.security.auth.PrivateCredentialPermission 
         "javax.resource.spi.security.PasswordCredential * \"*\" ","read";
};

Policy file	Location
java.policy	app_server_root/java/jre/lib/security/java.policy. Default permissions are granted to all classes. The policy of this file applies to all the processes launched by WebSphere Application Server.
server.policy	profile_root/properties/server.policy. Default permissions are granted to all the product servers.
client.policy	profile_root/properties/client.policy. Default permissions are granted for all of the product client containers and applets on a node.

Policy file	Location
spi.policy	profile_root/config/cells/cell /nodes/node/spi.policy This template is for the Service Provider Interface (SPI) or the third-party resources that are embedded in the product. Examples of SPI are the Java Message Service (JMS) in MQ Series and Java database connectivity (JDBC) drivers. The code base for the embedded resources are dynamically determined from the configuration (resources.xml file) and run-time data, and permissions that are defined in the spi.policy files are automatically applied to these resources and JAR files that are specified in the class path of a resource adapter. The default permission of the spi.policy file is java.security.AllPermissions.
library.policy	profile_root/config/cells/cell/nodes /node/library.policy This template is for the library (Java library classes). We can define a shared library to use in multiple product applications. The default permission of the library.policy file is empty.
app.policy	profile_root/config/cells/cell /nodes/node/app.policy The app.policy file defines the default permissions that are granted to all of the enterprise applications running on node in cell.
was.policy	profile_root/config/cells/cell /applications/ear_file_name/deployments/ appname/META-INF/was.policy This template is for application-specific permissions. The was.policy file is embedded in the EAR file.
ra.xml	rar_file_name/META-INF/was.policy.RAR. This file can have a permission specification that is defined in the ra.xml file. The ra.xml file is embedded in the RAR file.

Symbol	Meaning
file:${application}	Permissions apply to all the resources within the application
file:${jars}	Permissions apply to all the utility Java archive (JAR) files within the application
file:${ejbComponent}	Permissions apply to the Enterprise JavaBeans (EJB) resources within the application
file:${webComponent}	Permissions apply to the Web resources within the application
file:${connectorComponent}	Permissions apply to the connector resources within the application

Symbol	Meaning
file:${application}	Permissions apply to all the resources within the application
file:${jars}	Permissions apply to all the utility JAR files within the application
file:${ejbComponent}	Permissions apply to the enterprise beans resources within the application
file:${webComponent}	Permissions apply to the Web resources within the application
file:${connectorComponent}	Permissions apply to the connector resources both within the application and in the standalone connector resources.

Symbol	Meaning
${app.installed.path}	Path where the application is installed
${was.module.path}	Path where the module is installed
${current.cell.name}	Current cell name
${current.node.name}	Current node name
${current.server.name}	Current server name

If the permission is in a policy file that is loaded by the IBM Developer Kit, Java Technology Edition policy tool V1.4.2, the following message might display

Errors have occurred while opening the policy configuration. 
View the warning log for more information.

or the following message might display in a warning log

Warning: Invalid argument(s) for constructor: 
javax.security.auth.PrivateCredentialPermission.

To fix this problem, edit the permission and remove the trailing space. When the trailing space is removed, the permission loads properly. The following code sample shows the corrected permission

grant {
    permission javax.security.auth.PrivateCredentialPermission 
          "javax.resource.spi.security.PasswordCredential * \"*\"","read";
}

Troubleshooting

To debug the dynamic policy, choose one of three ways to generate the detail report of the AccessControlException exception.

Trace (Configured by RAS trace). Enables traces with the trace specification: Attention: The following command is one continuous line
```
com.ibm.ws.security.policy.*=all=enabled:
com.ibm.ws.security.core.SecurityManager=all=enabled
```
Trace (Configured by property). Specifies a Java java.security.debug property. Valid values for the java.security.debug property are as follows:
- Access. Print all debug information including required permission, code, stack, and code base location.
- Stack. Print debug information including, required permission, code, and stack.
- Failure. Print debug information including required permission and code.
ffdc. Enable ffdc, modify the ffdcRun.properties file by changing Level=4 and LAE=true. Look for an Access Violation keyword in the log file.

Related concepts
Java 2 security Related tasks
Protecting system resources and APIs (Java 2 security) Using PolicyTool to edit policy files