60 lines
4.1 KiB
HTML
60 lines
4.1 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
|
|
|
|
<title>Configure the app.policy file</title>
|
|
</head>
|
|
|
|
<BODY>
|
|
<!-- Java sync-link -->
|
|
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
|
|
|
|
<h5><a name="seccj2ap"></a>Configure the app.policy file</h5>
|
|
|
|
<p>Java 2 Security uses several policy files to determine the granted permission for each Java program. The app.policy file is a default policy file that is shared by all of the WebSphere Application Server - Express enterprise applications. The union of the permissions that are contained in the app.policy file, server.policy file, the application's was.policy file, and the ra.xml file are applied to the enterprise application.</p>
|
|
|
|
<p><strong>Note:</strong> The <tt>Signed By</tt> and the Java Authentication and Authorization Service (JAAS) <tt>principal</tt> keywords are not supported in the app.policy file. However, the <tt>Signed By</tt> keyword is supported in the following files: the java.policy and server.policy files. The JAAS <tt>principal</tt> keyword is supported in a JAAS policy file when it is specified by the Java Virtual Machine (JVM) system property, <tt>java.security.auth.policy</tt>. You can statically set the authorization policy files in java.security.auth.policy with <tt>auth.policy.url.<em>n</em>=<em>URL</em></tt>, where <em>n</em> is an integer and <em>URL</em> is the location of the authorization policy.</p>
|
|
|
|
<p>If the default permissions for enterprise application are enough, no action is required. If a specific change is required to all of the enterprise application in the cell, the app.policy file must be updated. Note that syntax errors in the policy files can cause the application server fail to start. Extreme care should be taken when editing these policy files.</p>
|
|
|
|
<p>Modify the app.policy file with policytool. For more information, see <a href="seccupol.htm">Create and edit policy files with the policy tool</a>. The changes are local for the node.</p>
|
|
|
|
<p>The app.policy file that is supplied by WebSphere Application Server - Express resides at /QIBM/UserData/WebASE51/ASE/<em>instance</em>/config/cells/<em>cell</em>/nodes/<em>node</em>/app.policy, where <em>instance</em> is the name of your instance, <em>cell</em> is the name of your cell, and <em>node</em> is the name of your node.</p>
|
|
|
|
<p>The app.policy file contains these default permissions:</p>
|
|
|
|
<pre>grant codeBase "file:${application}" {
|
|
// The following are required by Java mail
|
|
permission java.io.FilePermission
|
|
"${was.install.root}${/}java${/}extlib${/}mail.jar", "read";
|
|
permission java.io.FilePermission
|
|
"${was.install.root}${/}java${/}extlib${/}activation.jar", "read";
|
|
};
|
|
|
|
grant codeBase "file:${jars}" {
|
|
permission java.net.SocketPermission "*", "connect";
|
|
permission java.util.PropertyPermission "*", "read";
|
|
};
|
|
|
|
grant codeBase "file:${connectorComponent}" {
|
|
permission java.net.SocketPermission "*", "connect";
|
|
permission java.util.PropertyPermission "*", "read";
|
|
};
|
|
grant codeBase "file:${webComponent}" {
|
|
permission java.io.FilePermission "${was.module.path}${/}-", "read, write";
|
|
permission java.lang.RuntimePermission "loadLibrary.*";
|
|
permission java.lang.RuntimePermission "queuePrintJob";
|
|
permission java.net.SocketPermission "*", "connect";
|
|
permission java.util.PropertyPermission "*", "read";
|
|
};</pre>
|
|
|
|
<p>If all of the WebSphere Application Server - Express enterprise applications within a cell require permissions that are not defined as defaults in the app.policy file, you may have to update the app.policy file, and possibly the server.policy file.</p>
|
|
|
|
<p>If you change the app.policy file, you must restart all enterprise applications to ensure that the updated app.policy file takes effect.</p>
|
|
|
|
</body>
|
|
</html>
|
|
|