spi.policy file permissions

Java™ 2 security uses several policy files to determine the granted permission for each Java program.

For the list of available policy files that are supported by WebSphere® Application Server Version 6.0.x, see Java 2 security policy files.

Because the default permission for the Service Provider Interface (SPI) is the AllPermission permission, the only reason to update the spi.policy file is a restricted SPI permission. When a change in the spi.policy is required, complete the following steps.

Syntax errors in the policy files cause the application server to fail. Edit these policy files carefully.

Important: Do not place the codebase keyword or any other keyword after the filterMask and runtimeFilterMask keywords. The Signed By and the Java Authentication and Authorization Service (JAAS) Principal keywords are not supported in the spi.policy file. The Signed By keyword is supported in the java.policy, server.policy, and client.policy policy files. The JAAS Principal keyword is supported in a JAAS policy file that is specified by the java.security.auth.policy Java virtual machine (JVM) system property. You can statically set the authorization policy files in java.security.auth.policy with auth.policy.url.n=URL, where URL is the location of the authorization policy.

To extract the filter.policy file, enter the following command using information from your environment:

[z/OS] [AIX Solaris HP-UX Linux Windows]

set obj [$AdminConfig extract profiles/profile_name/cells/cell_name/nodes/node_name/spi.policy
c:/temp/test/spi.policy]

[IBM i]

set obj [$AdminConfig extract profiles/profile_name/cells/cell_name/nodes/node_name/spi.policy
/tmp/test/spi.policy]

Edit the file using the Policy Tool. For more information, see Using PolicyTool to edit policy files for Java 2 security.

To check in the policy file, enter the following command using information from your environment:

The updated spi.policy is applied to the Service Provider Interface (SPI) libraries after the Java process is restarted.

[z/OS] [AIX Solaris HP-UX Linux Windows] $AdminConfig checkin profiles/profile_name/cells/cell_name/nodes/node_name/spi.policy c:/temp/test/spi.policy $obj

[IBM i]

$AdminConfig checkin profiles/profile_name/cells/cell_name/nodes/node_name/spi.policy
/tmp/test/spi.policy $obj

Examples

The spi.policy file is the template for SPIs or third-party resources embedded in the product. Examples of SPIs are Java Message Services (JMS) (MQSeries®) and Java database connectivity (JDBC) drivers. They are specified in the resources.xml file. The dynamic policy grants the permissions that are defined in the spi.policy file to the class paths defined in the resources.xml file. The union of the permission that is contained in the java.policy file and the spi.policy file are applied to the SPI libraries. The spi.policy files are managed by configuration and file replication services.

Changes made in these files are replicated to other nodes in the cell.

[z/OS] [AIX Solaris HP-UX Linux Windows] You can find the spi.policy file that is supplied by WebSphere Application Server in the following location: app_server_root/profiles/profile_name/config/cells/cell_name/nodes/node_name/spi.policy. This file contains the following default permission:

grant { permission java.security.AllPermission; };

[IBM i] You can find the spi.policy file that is supplied by WebSphere Application Server in the following location: profile_root/config/cells/cell_name/nodes/node_name/spi.policy. It contains the following default permission:

grant {

  permission java.security.AllPermission;

};

Restart the related Java processes for the changes in the spi.policy file to become effective.