Home > Articles > Operating Systems, Server > Solaris

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

5.6 The server.policy File

Web Server 7 is a Java EE 1.4–compliant web server. As such, it follows the recommendations and requirements of the Java EE specification, including the optional presence of the Security Manager, which is the Java component that enforces policy, and a limited permission set for Java EE application code.

Each Web Server instance has its own standard Java Platform, Standard Edition (Java SE platform) server policy file named server.policy. The server policy file controls the access that applications have to the resources such as files on the file system.

5.6.1 Syntax

Directives in the server policy file grant explicit permission to access a particular resource. Without this permission, they are implicitly denied access. Server policy directives adhere to the following syntax:

    grant [codeBase "path"] {
    permission permission_class "package", "permission_type";
    ...
    };

For example, the following directive grants web applications explicit permission to access shared system library files:

    grant codeBase "file:/usr/share/lib/-" {
       permission java.security.AllPermission;
    };

5.6.2 Context

Each server instance has its own server policy file; therefore, there is a one-to-one correspondence between the server instance and the server policy file.

5.6.3 Modifications

In Web Server 7, the Java SE SecurityManager (the Java component that enforces the policy) is not active by default. The policies granted in the server policy file do not have any effect unless the SecurityManager is enabled in the server.xml. You can enable the Java SE SecurityManager by adding the following Java Virtual Machine (JVM) options to the server.xml file:

    <jvm>
       <jvm-options>-Djava.security.manager</jvm-options>
       <jvm-options>-Djava.security.policy=instance_dir/config/
         server.policy
       </jvm-options>
    </jvm>

You can also add JVM options by using the Administration Console or the command line interface. After this has been performed, you must deploy the updated configuration before the changes are reflected on the appropriate Administration Node(s).

The Administration Console and command line interface do not provide a method for managing the server policy file. As such, directives must be added to the server.policy file directly on a particular Administration Node. After this has been performed, the modifications must be pulled back into the configuration and then pushed out to additional Administration Nodes as appropriate.

  • + Share This
  • 🔖 Save To Your Account