We wrote a web application several years ago. It runs in Websphere (6.1 now). Since it used RMI to communicate with the computers where the data is stored, we had to turn on Java 2 security in the Websphere configuration. We also had to put a was.policy file into the application's EAR file which allowed it to use RMI and so on. That's all working okay.
But now we have another web application, written by a third party, which we want to install. They install only a WAR file, and they read configurations and so on from the local disk, so when we try to run it, security exceptions occur. Turning off Java 2 security makes those go away, and then the application runs.
So I'm trying to figure out how to put a was.policy file into their application. The IBM system management redbook says to put the was.policy file into the META-INF directory of the EAR file and that's all it has to say about was.policy.
I tried unpacking the application's WAR file and repacking it with our was.policy file in its META-INF directory, but that didn't seem to solve the problem. Should that have worked? Or is there some variant of that idea which should work?
If not, my possibilities seem to include: (1) run the new application in a second Websphere server (2) replace the default was.policy file in the installed server by our version. Are there any others? And is (2) a bad idea?
From the little work that I have done with Java 2 Security, I believe the update of the policy file in the WAR should have worked. I know that in some instances I have had some problems getting the policy to apply, and usually uninstall the app, stop the server, start the server, and install the application.
Another alternative would be it apply the policy to the app.policy file, which would apply to all applications, which would apply the policy to all applications which is probably not what you are looking for.
Thanks, Frank. Yes, I thought that putting the was.policy file there should work, so it's quite possible that I didn't do things in the right order. And I don't think I would mind modifying the app.policy so my policy applied to all applications on the server, it's just that since there isn't an option in the administration application to do that, it feels a bit irregular. Thanks for the input.