Java 2 Security in WebSphere (app.policy was.policy)

Home > Search
  by

Java 2 Security is a control that is used to allow or deny access to resources based on rules. Java 2 Security is disabled by default, thus you will need to enable Java 2 Security to use Java 2 Security. It is important to recognize that once Java 2 Security is enabled, access to resouces may be denied, thus you'll want to first enable Java 2 Security in your development environment before doing so in production.

  1. In the left panel of the WebSphere admin console, expand Security and select Global Security.
  2. Select Use Java 2 security to restrict application access to local resources.
  3. Select OK.
  4. Select Save.
  5. Restart the cell (nodes, JVMs, dmgr).

 

Several files can be used to configure an application's Java 2 security.

File Name Description
app.policy Policy for every application in the cell
client.policy Policy for client containers and applets
filter.policy Policy to filter permissions that are set in app.policy or was.policy
java.policy Policy for specific Java classes in an application
library.policy Policy for shared libraries
server.policy Policy for WebSphere application server processes
spi.policy Policy for Service Provider Interface (spi)
was.policy Policy for a single application in the cell

 


Example

Let's say an application needs permission to read the example.jar file. Without proper Java 2 security, there may be a security exception in the SystemOut.log.

java.security.AccessControlException: access denied (java.io.FilePermission 
${was.install.root}/path/to/example.jar read)

 

This issue can be resolved by adding the following to one of the Java 2 security policy files.

grant codeBase "file:user_client_installed_location" { 
  permission java.io.FilePermission 
"${was.install.root}$(/)path$(/)to$(/)example.jar", "read";
};

 


app.policy

The default app.policy file is located at was_install_root/config/cells/your_cell/nodes/your_node/app.policy.  If you make a change to the app.policy file, you would need to restart the JVMs in the node for the change to take effect.

 


was.policy

The was.policy file is included in an EAR, thus changes made to was.policy only applies to the applications in the EAR. You would place the was.policy file in the was_install_root/installedApps/cell_name/your_ear/META-INF/ directory. If you make a change to the was.policy file, you would need to restart the application for the change to take effect.

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments