Configure Java 2 security policy files

Configure Java 2 security policy files

Users can configure Java 2 security policy files so that the required permission is granted for the specified WebSphere Application Server enterprise application.
Java 2 security uses several policy files to determine the permissions for each Java programs.
See the Java 2 security policy files topic for the list of available policy files that are supported by WebSphere Application Server.
Two types of policy files are supported by WebSphere Application Server: dynamic policy files and static policy files. Static policy files provide the default permissions. Dynamic policy files provide application permissions. Six dynamic policy files are provided:

Policy file name Description

app.policy Contains default permissions for all of the enterprise applications in the cell.
Updates to the app.policy file only apply to the enterprise applications on the node to which the app.policy file belongs.
was.policy Contains application-specific permissions for an WebSphere Application Server enterprise application. This file is packaged in an EAR file.
ra.xml Contains connector application specific permissions for a WAS enterprise application. This file is packaged in a resource adapter archive (RAR) file.
spi.policy Contains permissions for Service Provider Interface (SPI) or third-party resources that are embedded in WebSphere Application Server. The default contents grant everything. Update this file carefully when the cell requires more protection against SPI in the cell. This file is applied to all of the SPIs defined in the resources.xml file.
library.policy Contains permissions for the shared library of enterprise applications.
filter.policy Contains the list of permissions that require filtering from the was.policy file and the app.policy file in the cell. This filtering mechanism only applies to the was.policy and app.policy files.

In WebSphere Application Server, applications must have the appropriate thread permissions specified in the was.policy or app.policy file. Without the thread permissions specified, the application cannot manipulate threads and WAS creates a java.security.AccessControlException exception. The app.policy file applies to a specified node. If we change the permissions in one app.policy file, we must incorporate the new thread policy in the same file on the remaining nodes. Also, if we add the thread permissions to the app.policy file, we must restart WebSphere Application Server to enforce the new permissions. However, if we add the permissions to the was.policy file for a specific application, we do not need to restart WebSphere Application Server. An administrator must add the following code to a was.policy or app.policy file for an application to manipulate threads:
grant codeBase "file:${application}" {
  permission java.lang.RuntimePermission "stopThread";
  permission java.lang.RuntimePermission "modifyThread";
  permission java.lang.RuntimePermission "modifyThreadGroup";
};
Important: The Signed By keyword is not supported in the following policy files: app.policy, spi.policy, library.policy, was.policy, and filter.policy files. However, the Signed By keyword is supported in the following policy files:java.policy, server.policy, and client.policy files. The JAAS is not supported in the app.policy, spi.policy, library.policy, was.policy, and filter.policy files. However, the JAAS principal keyword is supported in a JAAS policy file when it is specified by the java.security.auth.policy JVM system property. We can statically set the authorization policy files in java.security.auth.policy with auth.policy.url.n=URL, where URL is the location of the authorization policy.

Identify the policy file to update.

If the permission is required by an application, update the static policy file. Refer to Configure static policy files in Java 2 security.

If the permission is required by all of the WAS enterprise applications in the node, refer to spi.policy file permissions.

If the permission is required only by specific WebSphere Application Server enterprise applications and the permission is required only by connector, update the ra.xml file. Refer to the Assembling resource adapter (connector) modules article for more information. Otherwise, update the was.policy file. Refer to Configure the was.policy file for Java 2 security and Add the was.policy file to applications for Java 2 security.

If the permission is required by shared libraries, refer to library.policy file permissions.

If the permission is required by SPI libraries, refer to spi.policy file permissions.

Pick up the policy file with the smallest scope. We can avoid giving an extra permission to the Java programs and protect the resources. We can update the ra.xml file or the was.policy file rather than the app.policy file. Use specific component symbols ($(ejbcomponent), ${webComponent},${connectorComponent} and ${jars}) than ${application} symbols. Update dynamic policy files, rather than static policy files.
Add any permission that you never want granted to the WAS enterprise application in the cell to the filter.policy file. Refer to filter.policy file permissions.

Restart the WAS enterprise application.

Results
The required permission is granted for the specified WebSphere Application Server enterprise application.

Example

If a WAS enterprise application in a cell requires permissions, some of the dynamic policy files need updating. The symptom of the missing permission is the java.security.AccessControlException exception. The missing permission is listed in the following exception data, which appears as one line, but is split into sections for readability.

java.security.AccessControlException: access denied (java.io.FilePermission ${was.install.root}/java/ext/mail.jar read)

When a Java program receives this exception and adding this permission is justified, add a permission to an adequate dynamic policy file.
grant codeBase "file:user_client_installed_location" {    permission java.io.FilePermission  "${was.install.root}$(/)java$(/)jre$(/)lib$(/)ext$(/)mail.jar", "read";
};
The previous permission information lines are split for the illustration. Enter the permission on one line.
To decide whether to add a permission, refer to the Access control exception for Java 2 security topic.

Subtopics

app.policy file permissions

filter.policy file permissions

Configure the was.policy file for Java 2 security

spi.policy file permissions

library.policy file permissions

Add the was.policy file to applications for Java 2 security

Related tasks

Protecting system resources and APIs (Java 2 security) for developing applications
Migrate, coexist, and interoperate - Security considerations
Configure static policy files in Java 2 security

Related reference

Java 2 security policy files

Policy file name	Description
app.policy	Contains default permissions for all of the enterprise applications in the cell. Updates to the app.policy file only apply to the enterprise applications on the node to which the app.policy file belongs.
was.policy	Contains application-specific permissions for an WebSphere Application Server enterprise application. This file is packaged in an EAR file.
ra.xml	Contains connector application specific permissions for a WAS enterprise application. This file is packaged in a resource adapter archive (RAR) file.
spi.policy	Contains permissions for Service Provider Interface (SPI) or third-party resources that are embedded in WebSphere Application Server. The default contents grant everything. Update this file carefully when the cell requires more protection against SPI in the cell. This file is applied to all of the SPIs defined in the resources.xml file.
library.policy	Contains permissions for the shared library of enterprise applications.
filter.policy	Contains the list of permissions that require filtering from the was.policy file and the app.policy file in the cell. This filtering mechanism only applies to the was.policy and app.policy files.