ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/sec/secaddwp.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">

<title>Add the was.policy file to applications</title>
</head>

<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>

<h3><a name="secaddwp"></a>Add the was.policy file to applications</h3>
    
<p>When Java 2 security is enabled for a WebSphere Application Server, all the applications that run on that WebSphere Application Server undergo a security check before accessing any system resource. An application might need a was.policy if it accesses resources that require more permissions than have been granted in the default app.policy file. By default, the product security reads an app.policy file that is located in each instance and grants the permissions in the app.policy file to all the applications in the instance. Any additional required permissions should be added in the was.policy file. The was.policy file is only required if an application requires additional permissions.</p>

<p>In the was.policy file, specify <tt>codeBase</tt> of <tt>${application}</tt> and add required permissions to grant additional permissions to the entire application. Similarly, use <tt>codeBase</tt> of <tt>${webComponent}</tt> to grant additional permissions to all the Web modules in the application. You can assign additional permissions to each module (WAR file) as shown in the following example.</p>

<p>Here is an example of the was.policy file that add extra permissions for an application:</p>

<pre>  // grant additional permissions to a WebModule
  grant codeBase &quot; file:aWebModule.war&quot; {
    permission java.security.SecurityPermission &quot;printIdentity&quot;;
  };</pre>

<p>To create a was.policy file for your application, perform these steps:</p>

<ol>
<li><p>Create a was.policy file using the Java policy tool. The policytool is located in the <tt>bin</tt> subdirectory of your workstation's Java development kit or runtime environment installation. For example, on a Windows workstation, run C:\j2sdk1.4.1_01\jre\bin\policytool.exe.</p></li>

<li><p>Add the required permissions in the was.policy file using the policy tool.</p></li>

<li><p>Start WebSphere Development Studio Client.</p></li>

<li><p>Open your Web project.</p></li>

<li><p>In the Navigator window, select the META-INF directory.</p></li>

<li><p>Select <strong>File --&gt; Import</strong>.</p></li>

<li><p>In the Import wizard, select <strong>File system</strong>, and click <strong>Next</strong>.</p></li>

<li><p>Click <strong>Browse</strong> and select the directory which contains the was.policy file that you want to add to the application. Click <strong>OK</strong>.</p></li>

<li><p>In the left pane, select the directory. In the right pane, select the was.policy file.</p></li>

<li><p>Click <strong>Finish</strong>.</p></li>
</ol>

<p>When you export your project to a WAR or EAR file and install (deploy) it into the application server run time, your application is ready to run when Java 2 security is enabled.</p>

<p><strong>Troubleshooting</strong></p>
<p>Adding the was.policy file to your assembled application is required for applications to run properly when Java 2 security is enabled. If the was.policy file is not created and it does not contain required permissions, the application might not be able to access system resources.</p>

<p>The symptom of the missing permission problem is the application program getting the exception, java.security.AccessControlException. The missing permission is listed in the exception data, for example:</p>

<pre>  java.security.AccessControlException: access denied
  (java.io.FilePermission /QIBM/ProdData/WebASE51/ASE/java/ext/mail.jar read)</pre>

<p>When an application program receives this exception and adding this permission is justified, add a permission to the was.policy file, for example:</p>
<pre>  grant codeBase &quot;file:${application}&quot; {
    permission java.io.FilePermission 
      &quot;/QIBM/ProdData/WebASE51/ASE/java/ext/mail.jar&quot;, &quot;read&quot;;
  };</pre>

</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">`
			`<html>`
			`<head>`
			`<META http-equiv="Content-Type" content="text/html; charset=utf-8">`
			`<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">`

			`<title>Add the was.policy file to applications</title>`
			`</head>`

			`<BODY>`
			`<!-- Java sync-link -->`
			`<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>`

			`<h3><a name="secaddwp"></a>Add the was.policy file to applications</h3>`

			<p>When Java 2 security is enabled for a WebSphere Application Server, all the applications that run on that WebSphere Application Server undergo a security check before accessing any system resource. An application might need a was.policy if it accesses resources that require more permissions than have been granted in the default app.policy file. By default, the product security reads an app.policy file that is located in each instance and grants the permissions in the app.policy file to all the applications in the instance. Any additional required permissions should be added in the was.policy file. The was.policy file is only required if an application requires additional permissions.</p>

			`<p>In the was.policy file, specify <tt>codeBase</tt> of <tt>${application}</tt> and add required permissions to grant additional permissions to the entire application. Similarly, use <tt>codeBase</tt> of <tt>${webComponent}</tt> to grant additional permissions to all the Web modules in the application. You can assign additional permissions to each module (WAR file) as shown in the following example.</p>`

			`<p>Here is an example of the was.policy file that add extra permissions for an application:</p>`

			`<pre> // grant additional permissions to a WebModule`
			`grant codeBase " file:aWebModule.war" {`
			`permission java.security.SecurityPermission "printIdentity";`
			`};</pre>`

			`<p>To create a was.policy file for your application, perform these steps:</p>`

			`<ol>`
			`<li><p>Create a was.policy file using the Java policy tool. The policytool is located in the <tt>bin</tt> subdirectory of your workstation's Java development kit or runtime environment installation. For example, on a Windows workstation, run C:\j2sdk1.4.1_01\jre\bin\policytool.exe.</p></li>`

			`<li><p>Add the required permissions in the was.policy file using the policy tool.</p></li>`

			`<li><p>Start WebSphere Development Studio Client.</p></li>`

			`<li><p>Open your Web project.</p></li>`

			`<li><p>In the Navigator window, select the META-INF directory.</p></li>`

			`<li><p>Select <strong>File --> Import</strong>.</p></li>`

			`<li><p>In the Import wizard, select <strong>File system</strong>, and click <strong>Next</strong>.</p></li>`

			`<li><p>Click <strong>Browse</strong> and select the directory which contains the was.policy file that you want to add to the application. Click <strong>OK</strong>.</p></li>`

			`<li><p>In the left pane, select the directory. In the right pane, select the was.policy file.</p></li>`

			`<li><p>Click <strong>Finish</strong>.</p></li>`
			`</ol>`

			`<p>When you export your project to a WAR or EAR file and install (deploy) it into the application server run time, your application is ready to run when Java 2 security is enabled.</p>`

			`<p><strong>Troubleshooting</strong></p>`
			`<p>Adding the was.policy file to your assembled application is required for applications to run properly when Java 2 security is enabled. If the was.policy file is not created and it does not contain required permissions, the application might not be able to access system resources.</p>`

			`<p>The symptom of the missing permission problem is the application program getting the exception, java.security.AccessControlException. The missing permission is listed in the exception data, for example:</p>`

			`<pre> java.security.AccessControlException: access denied`
			`(java.io.FilePermission /QIBM/ProdData/WebASE51/ASE/java/ext/mail.jar read)</pre>`

			`<p>When an application program receives this exception and adding this permission is justified, add a permission to the was.policy file, for example:</p>`
			`<pre> grant codeBase "file:${application}" {`
			`permission java.io.FilePermission`
			`"/QIBM/ProdData/WebASE51/ASE/java/ext/mail.jar", "read";`
			`};</pre>`

			`</body>`
			`</html>`