An application might need a was.policy file if it accesses resources that require more permissions than those granted in the default app.policy file.
The default policy file for all applications is specified in the app.policy file. This file is provided by the product security, is common to all applications, and you do not change this file. Add any new permissions that are required for an application in the was.policy file.
The app.policy file is located in the profile_root/config/cells/cell_name/nodes/node_name directory. The contents of the app.policy file are presented in the following example:
// The following permissions apply to all the components under the application. grant codeBase "file:${application}" { // The following are required by JavaMail permission java.io.FilePermission " ${was.install.root}${/}lib${/}mail-impl.jar","read"; permission java.io.FilePermission " ${was.install.root}${/}lib${/}activation-impl.jar","read"; }; // The following permissions apply to all utility .jar files (other // than enterprise beans JAR files) in the application. grant codeBase "file:${jars}" { permission java.net.SocketPermission "*", "connect"; permission java.util.PropertyPermission "*", "read"; }; // The following permissions apply to connector resources within the application grant codeBase "file:${connectorComponent}" { permission java.net.SocketPermission "*", "connect"; permission java.util.PropertyPermission "*", "read"; }; // The following permissions apply to all the Web modules (.war files) // within the application. grant codeBase "file:${webComponent}" { permission java.io.FilePermission "${was.module.path}${/}-", "read, write"; // where "was.module.path" is the path where the Web module is // installed. Refer to Dynamic policy concepts for other symbols. permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.util.PropertyPermission "*", "read"; }; // The following permissions apply to all the EJB modules within the application. grant codeBase "file:${ejbComponent}" { permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.util.PropertyPermission "*", "read"; };
If additional permissions are required for an application or for one or more modules of an application, use the was.policy file for that application. For example, use codeBase of ${application} and add required permissions to grant additional permissions to the entire application. Similarly, use codeBase of ${webComponent} and ${ejbComponent} to grant additional permissions to all the Web modules and all the enterprise bean modules in the application. You can assign additional permissions to each module (.war file or .jar file), as shown in the following example.
This example illustrates adding extra permissions for an application in the was.policy file:
// grant additional permissions to a Web module grant codeBase " file:aWebModule.war" { permission java.security.SecurityPermission "printIdentity"; }; // grant additional permission to an EJB module grant codeBase "file:aEJBModule.jar" { permission java.io.FilePermission " ${user.install.root}${/}bin${/}DefaultDB${/}-", "read,write,delete"; // where, ${user.install.root} is the system property whose value is // located in the app_server_root directory. };
To use a was.policy file for your application, perform the following steps:
This step is required for applications to run properly when Java 2 security is enabled. If the was.policy file is not created and it does not contain required permissions, the application might not access system resources.
java.security.AccessControlException: access denied (java.io.FilePermission app_server_root/lib/mail-impl.jar read)
The previous two lines are one continuous line for illustration purposes only.
grant codeBase "file:${application}" { permission java.io.FilePermission "app_server_root/lib/mail-impl.jar", "read"; };
Lines are split in this example for illustration purposes only.
In this information ...Related concepts
Related tasks
| IBM Redbooks, demos, education, and more(Index) |