Enabling the Java Security Manager

Web Server supports the Java Security Manager. The Java Security Manager is disabled by default when you install the product, which can improve performance significantly for some types of applications. Enabling the Java Security Manager might improve security by restricting the rights granted to your Java EE web applications. To enable the Java Security Manager, add the following JVM options to the server.xml file.

<jvm-options>-Djava.security.manager</jvm-options>

<jvm-options>-Djava.security.policy=instance_dir

/config/server.policy</jvm-options>

where instance_dir is the path to the installation directory of this server instance.

Whether you should run with the Security manager depends on your application and deployment needs.

Running with the Security Manager helps catch some specification issues with Java EE applications. All Java EE applications should be able to run with the Security Manager active and with only the default permissions. Therefore, the Security Manager should be turned on during development. Applications that can easily be deployed in environments where the Security Manager is always active, such as some versions of Sun Java System Application Server. Running with the Security Manager also helps isolate applications and may catch inappropriate operations.

The main drawback of running with the Security Manager is that it negatively affects performance. Depending on the application details and the deployment environment, this impact could be minor or quite significant.