Java 2 Security uses several policy files to determine the granted permission for each Java program. The app.policy file is a default policy file that is shared by all of the WebSphere Application Server - Express enterprise applications. The union of the permissions that are contained in the app.policy file, server.policy file, the application's was.policy file, and the ra.xml file are applied to the enterprise application.
Note: The Signed By and the Java Authentication and Authorization Service (JAAS) principal keywords are not supported in the app.policy file. However, the Signed By keyword is supported in the following files: the java.policy and server.policy files. The JAAS principal keyword is supported in a JAAS policy file when it is specified by the Java Virtual Machine (JVM) system property, java.security.auth.policy. You can statically set the authorization policy files in java.security.auth.policy with auth.policy.url.n=URL, where n is an integer and URL is the location of the authorization policy.
If the default permissions for enterprise application are enough, no action is required. If a specific change is required to all of the enterprise application in the cell, the app.policy file must be updated. Note that syntax errors in the policy files can cause the application server fail to start. Extreme care should be taken when editing these policy files.
Modify the app.policy file with policytool. For more information, see Create and edit policy files with the policy tool. The changes are local for the node.
The app.policy file that is supplied by WebSphere Application Server - Express resides at /QIBM/UserData/WebASE51/ASE/instance/config/cells/cell/nodes/node/app.policy, where instance is the name of your instance, cell is the name of your cell, and node is the name of your node.
The app.policy file contains these default permissions:
grant codeBase "file:${application}" {
// The following are required by Java mail
permission java.io.FilePermission
"${was.install.root}${/}java${/}extlib${/}mail.jar", "read";
permission java.io.FilePermission
"${was.install.root}${/}java${/}extlib${/}activation.jar", "read";
};
grant codeBase "file:${jars}" {
permission java.net.SocketPermission "*", "connect";
permission java.util.PropertyPermission "*", "read";
};
grant codeBase "file:${connectorComponent}" {
permission java.net.SocketPermission "*", "connect";
permission java.util.PropertyPermission "*", "read";
};
grant codeBase "file:${webComponent}" {
permission java.io.FilePermission "${was.module.path}${/}-", "read, write";
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.util.PropertyPermission "*", "read";
};
If all of the WebSphere Application Server - Express enterprise applications within a cell require permissions that are not defined as defaults in the app.policy file, you may have to update the app.policy file, and possibly the server.policy file.
If you change the app.policy file, you must restart all enterprise applications to ensure that the updated app.policy file takes effect.