96 lines
7.6 KiB
HTML
96 lines
7.6 KiB
HTML
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
|
<html>
|
||
|
<head>
|
||
|
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
|
||
|
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
|
||
|
|
||
|
<title>Configure Java 2 policy files</title>
|
||
|
</head>
|
||
|
|
||
|
<BODY>
|
||
|
<!-- Java sync-link -->
|
||
|
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
|
||
|
|
||
|
<h4><a name="seccj2po"></a>Configure Java 2 policy files</h4>
|
||
|
|
||
|
<p>The J2EE 1.3 specification has a well-defined programming model of responsibilities between the container providers and the application code. It is recommended that you use the Java 2 Security manager to help enforce this programming model. Certain operations are not allowed in the application code because such operations interfere with the behavior and operation of the containers. The Java 2 Security manager is used in the product to enforce responsibilities of the container and the application code.</p>
|
||
|
|
||
|
<p>WebSphere Application Server - Express provides support for policy file management. There are a number of policy files in the product, which are either static or dynamic. Static policy files provide default permissions. Dynamic policy files are templates of permissions for a particular type of resource. You can use relative file paths in some dynamic policy files. The absolute path is resolved when the application is deployed. For more information, see <a href="secj2syn.htm">Syntax of policy files</a>.</p>
|
||
|
|
||
|
<p><strong>Dynamic policy files</strong></p>
|
||
|
|
||
|
<p>These files provide the permissions for an application:</p>
|
||
|
|
||
|
<ul>
|
||
|
<li><p><strong>app.policy</strong>
|
||
|
<br>This file contains the default permissions for all of the enterprise applications in the cell. For more information, see <a href="seccj2ap.htm">Configure the app.policy file</a>.</p></li>
|
||
|
|
||
|
<li><p><strong>was.policy</strong>
|
||
|
<br>This file contains application-specific permissions for a WebSphere Application Server - Express enterprise application. This file is packaged within an EAR file. For more information, see <a href="seccj2wa.htm">Configure the was.policy file</a>.</p></li>
|
||
|
|
||
|
<li><p><strong>ra.xml</strong>
|
||
|
<br>This file contains connector-specific permissions for a particular WebSphere Application Server - Express enterprise application. This file is packaged within a RAR file.</p></li>
|
||
|
|
||
|
<li><p><strong>spi.policy</strong>
|
||
|
<br>This file contains permissions for a service provider interface (SPI) or third-party resources that are embedded in WebSphere Application Server - Express. For more information, see <a href="seccj2sp.htm">Configure the spi.policy file</a>.</p></li>
|
||
|
|
||
|
<li><p><strong>library.policy</strong>
|
||
|
<br>This file contains permissions for Java library classes that are shared by enterprise applications. By default, this file is empty. For more information, see <a href="seccj2li.htm">Configure the library.policy file</a>.</p></li>
|
||
|
|
||
|
<li><p><strong>filter.policy</strong>
|
||
|
<br>This file contains a list of permissions that are filtered out of the was.policy and app.policy files in the cell. This filtering mechanism only applies to was.policy and app.policy. For more information, see <a href="seccj2fi.htm">Configure the filter.policy file</a>.</p></li>
|
||
|
</ul>
|
||
|
|
||
|
<p><strong>Static policy files</strong></p>
|
||
|
|
||
|
<p>These files provide default permissions. If permissions are required beyond the application level, you may need to update the static policy files. Note that the static policy file is not a configuration file that is managed by the WebSphere repository and file replication service. Changes to these files are local and are not replicated to other machines.</p>
|
||
|
|
||
|
<ul>
|
||
|
<li><p><strong>java.policy</strong>
|
||
|
<br>This file contains default permissions for all of the Java programs that run in the node's Java virtual machine. (On iSeries, this file is shipped with IBM Development Kit for Java.) By default, permissions are granted to all Java classes. Because this file represents permissions for all JVM processes, it is recommended that you do not modify its contents unless it is absolutely necessary. For more information, see <a href="seccj2ja.htm">Configure the java.policy file</a>.</p></li>
|
||
|
|
||
|
<li><p><strong>server.policy</strong>
|
||
|
<br>This file contains default permissions for all WebSphere Application Server - Express programs on the node. By default, permissions are granted to all the product servers. Because this file represents permissions for all server processes, it is recommended that you do not modify its contents unless it is absolutely necessary. For more information, see <a href="seccj2se.htm">Configure the server.policy file</a>.</p></li>
|
||
|
</ul>
|
||
|
|
||
|
<p>Here are some considerations when you edit Java 2 Security policy files:</p>
|
||
|
|
||
|
<ul>
|
||
|
<li><p>The <tt>Signed By</tt> keyword is not supported in the following policy files: app.policy, spi.policy, library.policy, was.policy, and filter.policy. However, the <tt>Signed By</tt> keyword is supported in the following policy files: java.policy and server.policy.</p></li>
|
||
|
|
||
|
<li><p>The Java Authentication and Authorization Service (JAAS) <tt>principal</tt> keyword is not supported in the app.policy, spi.policy, library.policy, was.policy, and filter.policy files. However, the JAAS <tt>principal</tt> keyword is supported in a JAAS policy file when it is specified by the Java Virtual Machine (JVM) system property, <tt>java.security.auth.policy</tt>. You can statically set the authorization policy files in <tt>java.security.auth.policy</tt> with <tt>auth.policy.url.<em>n</em>=<em>URL</em></tt> where <em>n</em> is an integer and <em>URL</em> is the location of the authorization policy.</p></li>
|
||
|
|
||
|
<li><p>It is recommended that you update dynamic policy files rather than static policy files because the static policy files grant permissions beyond the application level.</p></li>
|
||
|
|
||
|
<li><p>When you edit a policy file to add required permissions, it is recommended that you use the policy file of smallest scope. That way you can avoid giving a unnecessary permissions to applications, which better protects your resources. For example, update the ra.xml or was.policy file (these files define permissions for a single application) rather than the app.policy file (which defines permissions for all applications in the cell).</p></li>
|
||
|
|
||
|
<li><p>Use specific component symbols, such as <tt>${webComponent}</tt>, <tt>${connectorComponent}</tt>, and <tt>${jars}</tt>, rather than <tt>${application}</tt> symbols.</p></li>
|
||
|
|
||
|
<li><p>If there is any permission that should never be granted to the WebSphere Application Server - Express enterprise application within the cell, add this permission to the filter.policy file.</p></li>
|
||
|
|
||
|
<li><p>After you have modified a dynamic policy file, restart the enterprise application.</p></li>
|
||
|
|
||
|
<li><p>After you have modified a static policy file, restart the application server.</p></li>
|
||
|
</ul>
|
||
|
|
||
|
|
||
|
<p><strong>Troubleshooting</strong></p>
|
||
|
|
||
|
<p>If a WebSphere Application Server - Express enterprise application within a cell requires permissions, some of the dynamic policy files may need to be updated. The symptom of a missing permission is a java.security.AccessControlException. For more information, see <a href="secj2ace.htm">AccessControlException</a>.</p>
|
||
|
|
||
|
<p>The missing permission is listed in the exception data, for example:</p>
|
||
|
|
||
|
<pre> java.security.AccessControlException: access denied
|
||
|
(java.io.FilePermission /QIBM/ProdData/WebASE51/ASE/java/ext/mail.jar read)</pre>
|
||
|
|
||
|
<p>When a Java program receives this exception and adding this permission is justified, add a permission to an adequate dynamic policy file, for example:</p>
|
||
|
|
||
|
<pre> grant codeBase "file:${application}" {
|
||
|
permission java.io.FilePermission
|
||
|
"/QIBM/ProdData/WebASE51/ASE/java/ext/mail.jar", "read";
|
||
|
};</pre>
|
||
|
|
||
|
</body>
|
||
|
</html>
|
||
|
|