ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/sec/seccj2fi.htm

67 lines
6.3 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Configure the filter.policy file</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h5><a name="seccj2fi"></a>Configure the filter.policy file</h5>
<p>Java 2 Security uses several policy files to determine the granted permission for each Java programs. Java 2 Security policy filtering is only in effect when Java 2 Security is enabled. For more information about enabling Java 2 Security, see <a href="seccj2.htm">Configure Java 2 security</a>.</p>
<p>The filtering policy that is defined in the filter.policy file is cell wide. The filter.policy file is the only policy file that is used to <em>restrict</em> permissions instead of granting permissions. The permissions that are listed in the filter policy file are filtered out of the app.policy and was.policy files. Permissions that are defined in the other policy files are not affected by the filter.policy file.</p>
<p>When a permission is filtered out, an audit message is logged. However, if the permissions that are defined in the app.policy and was.policy files are compound permissions (java.security.AllPermission, for example), the permission is not removed, and a warning message is logged. If <strong>Issue Permission Warning</strong> is enabled (it is enabled by default), and if the app.policy and was.policy files contain custom permissions (permissions for packages that do not start with <tt>java</tt> or <tt>javax</tt>), then a warning message is logged, and the permission is not removed. You can disable the <strong>Issue Permission Warning</strong> setting in the Global Security page of the administrative console. If java.security.AllPermission is specified in the app.policy file or in the was.policy file, a warning message is logged. However, the permission is not removed. It is recommended that you not use AllPermission for your enterprise applications.</p>
<p>Some default permissions are defined in the filter.policy file. These are the minimal permissions that are recommended. If more permissions are added to the filter.policy file, certain operations may fail for enterprise applications.</p>
<p>The WebSphere Application Server - Express filter.policy file is located in the /QIBM/UserData/WebASE51/ASE/<em>instance</em>/config/cells/<em>cell</em> directory, where <em>instance</em> is the name of your instance, and <em>cell</em> is the name of your cell.</p>
<p>By default, the filter.policy file contains these permissions:</p>
<pre> filterMask {
permission java.lang.RuntimePermission &quot;exitVM&quot;;
permission java.lang.RuntimePermission &quot;setSecurityManager&quot;;
permission java.security.SecurityPermission &quot;setPolicy&quot;;
permission javax.security.auth.AuthPermission &quot;setLoginConfiguration&quot;;
};
runtimeFilterMask {
permission java.lang.RuntimePermission &quot;exitVM&quot;;
permission java.lang.RuntimePermission &quot;setSecurityManager&quot;;
permission java.security.SecurityPermission &quot;setPolicy&quot;;
permission javax.security.auth.AuthPermission &quot;setLoginConfiguration&quot;;
};</pre>
<p>The permissions that are defined in the filterMask block are for static policy filtering. The security run time tries to remove the permissions from applications during application startup. Compound permissions are not removed and a warning is issued. Application deployment is stopped if applications contain permissions that are defined in filterMask and if scripting was used (wsadmin tool).</p>
<p>The runtimeFilterMask block defines the permissions to access resources that the security run time denies to the application thread. Do not add more permissions to the runtimeFilterMask because the application may fail to start or may function incorrectly. Usually, you only need to add permissions to the filterMask block.</p>
<p>WebSphere Application Server - Express itself relies on the filter.policy file to restrict or disallow certain permissions that could compromise the integrity of the system itself. For example, WebSphere Application Server - Express considers the exitVM and setSecurityManager permissions as those permissions that most applications should never have. If you grant these permissions to your application, then the following scenarios are possible:</p>
<ul>
<li><p><strong>exitVM</strong>
<br>A servlet, JSP file, or other library could call the System.exit() API and cause the entire WebSphere Application Server - Express process to terminate.</p></li>
<li><p><strong>setSecurityManager</strong>
<br>An application could install its own SecurityManager that could either grant more permissions or bypass the default policy that the WebSphere Application Server - Express SecurityManager enforces.</p></li>
</ul>
<p>If there are syntax errors in the filter.policy file, it is not loaded by the WebSphere security run time. This implies that there is no filter in place. If there is no filter, enterprise applications can access resources that are normally not allowed. Use extreme care editing the filter.policy file.</p>
<p><strong>Note:</strong> Do not place the <tt>codebase</tt> keyword or any other keyword after the <tt>filterMask</tt> and <tt>runtimeFilterMask</tt> keywords. The <tt>Signed By</tt> and the Java Authentication and Authorization Service (JAAS) <tt>principal</tt> keywords are not supported in the filter.policy file. However, the <tt>Signed By</tt> keyword is supported in the following policy files: java.policy and server.policy. The JAAS <tt>principal</tt> keyword is supported in a JAAS policy file when it is specified by the Java Virtual Machine (JVM) system property, <tt>java.security.auth.policy</tt>. You can statically set the authorization policy files in <tt>java.security.auth.policy</tt> with <tt>auth.policy.url.<em>n</em>=<em>URL</em></tt> where <em>n</em> is an integer and <em>URL</em> is the location of the authorization policy.</p>
<p>In Version 5, there is no tool support for editing the filter.policy file. You must use a text editor to edit the file.</p>
<p>For the updated filter.policy file to take effect, restart all related Java processes.</p>
</body>
</html>