Sun GlassFish Enterprise Server v2.1.1 Developer's Guide

Changing Permissions for an Application

The default policy for each domain limits the permissions of Java EE deployed applications to the minimal set of permissions required for these applications to operate correctly. Do not add extra permissions to the default set (the grant block with no codebase, which applies to all code). Instead, add a new grant block with a codebase specific to the applications requiring the extra permissions, and only add the minimally necessary permissions in that block.

If you develop multiple applications that require more than this default set of permissions, you can add the custom permissions that your applications need. The com.sun.aas.instanceRoot variable refers to the domain-dir. For example:

grant codeBase "file:${com.sun.aas.instanceRoot}/applications/j2ee-apps/-" {

You can add permissions to stub code with the following grant block:

grant codeBase "file:${com.sun.aas.instanceRoot}/generated/-" {

In general, you should add extra permissions only to the applications or modules that require them, not to all applications deployed to a domain. For example:

grant codeBase "file:${com.sun.aas.instanceRoot}/applications/j2ee-apps/MyApp/-" {

For a module:

grant codeBase "file:${com.sun.aas.instanceRoot}/applications/j2ee-modules/MyModule/-" {

An alternative way to add permissions to a specific application or module is to edit the granted.policy file for that application or module. The granted.policy file is located in the domain-dir/generated/policy/app-or-module-name directory. In this case, you add permissions to the default grant block. Do not delete permissions from this file.

When the application server policy subsystem determines that a permission should not be granted, it logs a server.policy message specifying the permission that was not granted and the protection domains, with indicated code source and principals that failed the protection check. For example, here is the first part of a typical message:

JACC Policy Provider: PolicyWrapper.implies, context(null)- 
permission((java.util.PropertyPermission write)) 
domain that failed(ProtectionDomain
(file:/E:/glassfish/domains/domain1/applications/j2ee-modules/cejug-clfds/ ... )

Granting the following permission eliminates the message:

grant codeBase "file:${com.sun.aas.instanceRoot}/applications/j2ee-modules/cejug-clfds/-" {
    permission java.util.PropertyPermission "", "write";

Note –

Do not add to the server.policy file for application code. Doing so completely defeats the purpose of the security manager, yet you still get the performance overhead associated with it.

As noted in the Java EE specification, an application should provide documentation of the additional permissions it needs. If an application requires extra permissions but does not document the set it needs, contact the application author for details.

As a last resort, you can iteratively determine the permission set an application needs by observing AccessControlException occurrences in the server log.

If this is not sufficient, you can add the JVM option to the domain. Use the following asadmin create-jvm-options command, then restart the server:

asadmin create-jvm-options --user adminuser

For more information about the asadmin create-jvm-options command, see the Sun GlassFish Enterprise Server v2.1.1 Administration Reference.

You can use the J2SE standard policytool or any text editor to edit the server.policy file. For more information, see

For detailed information about policy file syntax, see

For information about using system properties in the server.policy file, see For information about Enterprise Server system properties, see system-property in Sun GlassFish Enterprise Server v2.1.1 Administration Reference.

For detailed information about the permissions you can set in the server.policy file, see

The Javadoc for the Permission class is at