Use PolicyTool to edit policy files

 

Overview

Java 2 security uses several policy files to determine the granted permission for each Java program. See Dynamic policy for the list of available policy files. The Java Development Kit provides policytool to edit these policy files. This tool is recommended for editing any policy file to verify the syntax of its contents. Syntax errors in the policy file cause an AccessControlException during application execution, including the server start. Identifying the cause of this exception is not easy because the user might not be familiar with the resource that has an access violation. Be careful when you edit these policy files.

  1. Start policytool. Enter %{was.install.root}/java/jre/bin/policytool from a command prompt.

    The policytool window opens. The policytool looks for the .java.policy file in your home directory. If it does not exist, an Error message displays. Click OK.

  2. Click File > Open.

  3. Navigate the directory tree in the Open window to pick up the policy file that you need to update. After selecting the policy file, click Open. The code base entries are listed in the window.

  4. Create or modify the code base entry.

    1. Modify the existing code base entry by double-clicking the code base, or click the code base and click Edit Policy Entry. The Policy Entry window opens with the permission list defined for the selected code base.

    2. Create a new code base entry by clicking Add Policy Entry. The Policy Entry window opens. At the code base column, enter the code base information as a URL format, for example, /WebSphere/AppServer/InstalledApps/testcase.ear.

  5. Modify or add the permission specification

    1. Modify the permission specification by double-clicking the entry you want to modify, or by selecting the permission and clicking Edit Permission. The Permissions window opens with the selected permission information.

    2. Add a new permission by clicking Add Permission. The Permissions window opens. In the Permissions, window there are four rows for Permission, Target Name, Actions, and Signed By.

  6. Select the permission from the Permission list. The selected permission displays. After a permission is selected, the Target Name, Actions, and Signed By fields automatically show the valid choices or they enable text input in the right text input area.

    1. Select Target Name from the list, or enter the target name in the right text input area.

    2. Select Actions from the list.

    3. Input Signed By if it is needed.

      Note: The Signed By keyword is not supported in the following policy files: app.policy, spi.policy, library.policy, was.policy, and filter.policy files. However, the Signed By keyword is supported in the following policy files:java.policy, server.policy, and client.policy files. The Java Authentication and Authorization Service (JAAS) is not supported in the app.policy, spi.policy, library.policy, was.policy, and filter.policy files. However, the JAAS principal keyword is supported in a JAAS policy file when it is specified by the Java Virtual Machine (JVM) system property, java.security.auth.policy.

  7. Click OK to close the Permissions window.Modified permission entries of the specified code base display.

  8. Click Done to close the window. Modified code base entries are listed. Repeat steps 4 through 8 until you complete editing.

  9. Click File > Save after you finish editing the file.

 

Results

A policy file is updated. If any policy files need editing, use the policytool. Do not edit the policy file manually. Syntax errors in the policy files can potentially cause appservers or enterprise applications to not start or function incorrectly. For the changes in the updated policy file to take effect, restart the Java processes.


Related concepts
Java 2 security policy files