Using Policy Tool to edit policy files for Java 2 security
Java 2 security uses several policy files to determine the granted permission for each Java program. The
Java Development Kit provides the
Policy Tool tool to edit these policy files. This tool is
recommended for editing any policy file to verify the syntax of its contents. Syntax errors in the policy
file cause an
AccessControlException exception when the application runs, including the server
start. Identifying the cause of this exception is not easy because the user might not be familiar
with the resource that has an access violation. Be careful when you edit these policy files.
List of available Java 2 security policy files:
Static policy files
java.policy - Default permissions are granted to all classes. The policy of
this file applies to all the processes launched by WebSphere® Application Server.
server.policy - Default permissions are granted to all the product servers.
client.policy - Default permissions are granted for all of the product
client containers and applets on a node.
The static policy files are not managed by configuration and file replication services. Changes made in these files are local and are not replicated to other nodes in the WebSphere Application Server, Network Deployment cell.
Dynamic policy files
spi.policy - This template is for the Service Provider Interface (SPI) or the
third-party resources that are embedded in the product.
library.policy - This template is for the library (Java library classes). You
can define a shared library to use in multiple product applications.
app.policy - The
app.policy file defines the default permissions
that are granted to all of the enterprise applications running on
was.policy - This template is for application-specific permissions. The
was.policy file is embedded in the enterprise archive (EAR) file.
ra.xml - This file can have a permission specification that is defined in
ra.xml file. The
ra.xml file is embedded in the RAR file.
Start the Policy Tool.
For example, you can enter the following command at a Linux command prompt:
test317:~ # cd /opt/IBM/WebSphere/AppServer/java/jre/bin test317:/opt/IBM/WebSphere/AppServer/java/jre/bin # ./policytool
The Policy Tool window opens. The tool looks for the
java.policy file in your home directory.
Click File > Open.
Navigate the directory tree in the Open window to pick up the policy file that you need to update. After selecting the policy file, click Open. The code base entries are listed in the window.
Create or modify the code base entry.
Modify or add the permission specification.
Modify the permission specification by double-clicking the entry that you want to modify, or by selecting the permission and clicking Edit Permission. The Permissions window opens with the selected permission information.
Add a new permission by clicking Add Permission. The Permissions window opens. In the Permissions window are four rows for Permission, Target Name, Actions, and Signed By.
Select the permission from the Permission list. The selected permission displays. After a permission is selected, the Target Name, Actions, and Signed By fields automatically show the valid choices or they enable text input in the right text input area.
Click OK to close the Permissions window. Modified permission entries of the specified code base display.
Click Done to close the window. Modified code base entries are listed. Repeat the previous steps until you complete editing.
Click File > Save after you finish editing the file.
A policy file is updated. If any policy files need editing, use the Policy Tool utility. Do not edit the policy file manually. Syntax errors in the policy files can potentially cause application servers or enterprise applications to not start or function incorrectly. For the changes in the updated policy file to take effect, restart the Java processes.