Enabling the Java Security Manager

Sun Java System Web Server 6.1 supports the Java Security Manager. The Java Security Manager is disabled by default when you install the product, which may improve performance significantly for some types of applications. Enabling the Java Security Manager may improve security by restricting the rights granted to your J2SE web applications. To enable the Java Security Manager, “uncomment” entries in the server.xml file:

<JVMOPTIONS>-Djava.security.manager</JVMOPTIONS>

<JVMOPTIONS>-Djava.security.policy=instance_dir

/config/server.policy</JVMOPTIONS>

where instance_dir is the path to the installation directory of this server instance.

Based on your application and deployment needs, you should evaluate whether to run with or without the Security Manager.

Running with the Security Manager on will help catch some spec-compliance issues with J2SE applications. All J2SE applications should be able to run with the Security Manager active and with only the default permissions. For this reason it is recommended that the Security Manager be turned on during development. This will help produce applications that can easily be deployed in environments where the Security Manager is always active (such as Sun™ Java System Application Server). Running with the Security Manager also helps isolate applications and may catch inappropriate operations.

The main drawback of running with the Security Manager is that it negatively impacts performance. Depending on the application details and the deployment environment, this impact may be negligible or quite significant.