The server.policy File

Each Sun Java System Web Server 7.0 instance has its own standard Java Platform, Standard Edition (Java SE™ platform) policy file, located in the instance_dir/config directory. The file is named server.policy.

Sun Java System Web Server 7.0 is a Java EE 1.4-compliant web server. As such, it follows the recommendations and requirements of the Java EE specification, including the optional presence of the Security Manager, which is the Java component that enforces the policy, and a limited permission set for Java EE application code.

This section includes the following topics:

• Default Permissions

• Changing Permissions for an Application

Default Permissions

Internal server code is granted all permissions by the AllPermission grant blocks to various parts of the server infrastructure code. Do not modify these entries.

Application permissions are granted in the default grant block. These permissions apply to all code not part of the internal server code listed previously.

A few permissions above the minimal set are also granted in the default server.policy file. These permissions are necessary due to various internal dependencies of the server implementation. Java EE application developers should not rely on these additional permissions.

Changing Permissions for an Application

The default policy for each instance limits the permissions of Java EE-deployed applications to the minimal set of permissions required for these applications to operate correctly. If you develop applications that require more than this default set of permissions, you can edit the server.policy file to add the custom permissions that your applications need.

You should add the extra permissions only to the applications that require them, not to all applications deployed to a server instance. Do not add extra permissions to the default set, which is the grant block with no codebase, which applies to all code. Instead, add a new grant block with a codebase specific to the application requiring the extra permissions, and only add the minimally necessary permissions in that block.

Do not add java.security.AllPermission to the server.policy file for application code. Doing so completely defeats the purpose of the Security Manager, yet you still get the performance overhead associated with it.

As noted in the Java EE specification, an application should provide documentation of the additional permissions it needs. If an application requires extra permissions but does not document the set it needs, contact the application author for details.

As a last resort, you can iteratively determine the permission set an application needs by observing AccessControlException occurrences in the server log. If this information is not sufficient, you can add the -Djava.security.debug=all JVM option to the server instance. For details, see the Sun Java System Web Server 7.0 Administrator’s Guide.

You can use the Java SE standard policy tool or any text editor to edit the server.policy file. For more information, see

http://java.sun.com/docs/books/tutorial/security1.2/tour2/index.html.

For detailed information about the permissions you can set in the server.policy file, see:

http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html.

For the Javadoc for the Permission class is see

http://java.sun.com/j2se/1.4.2/docs/api/java/security/Permission.html.