Bootstrap FreeKB - IBM WebSphere - Getting Started with Java 2 Security
IBM WebSphere - Getting Started with Java 2 Security

Updated:   |  IBM WebSphere articles

Java 2 Security is a control that is used to allow or deny access to resources based on rules. Java 2 Security is disabled by default, thus you will need to enable Java 2 Security to use Java 2 Security. It is important to recognize that once Java 2 Security is enabled, access to resouces may be denied, thus you'll want to first enable Java 2 Security in your development environment before doing so in production.

  1. In the WebSphere admin console, expand Security and select Global Security.
  2. Select Use Java 2 security to restrict application access to local resources.
  3. Select OK.
  4. Select Save.
  5. Restart the cell (nodes, JVMs, dmgr).


Several files can be used to configure an application's Java 2 security.

File Name Description
app.policy Policy for every application in the cell
client.policy Policy for client containers and applets
filter.policy Policy to filter permissions that are set in app.policy or was.policy
java.policy Policy for specific Java classes in an application
library.policy Policy for shared libraries
server.policy Policy for WebSphere application server processes
spi.policy Policy for Service Provider Interface (spi)
was.policy Policy for a single application in the cell



Let's say an application needs permission to read the example.jar file. Without proper Java 2 security, there may be a security exception in the SystemOut.log. access denied ( 
${was.install.root}/path/to/example.jar read)


This issue can be resolved by adding the following to one of the Java 2 security policy files.

grant codeBase "file:user_client_installed_location" { 
"${was.install.root}$(/)path$(/)to$(/)example.jar", "read";



The default app.policy file is located at was_install_root/config/cells/your_cell/nodes/your_node/app.policy.  If you make a change to the app.policy file, you would need to restart the JVMs in the node for the change to take effect.



The was.policy file is included in an EAR, thus changes made to was.policy only applies to the applications in the EAR. You would place the was.policy file in the was_install_root/installedApps/cell_name/your_ear/META-INF/ directory. If you make a change to the was.policy file, you would need to restart the application for the change to take effect.


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Add a Comment

Please enter 0a09db in the box below so that we can be sure you are a human.