I am deploying a Spring Roo application on Websphere and I need to implement Java 2 Security in that application. When I enable the Java 2 security on the server and deploy the application, it gives me this error:
Error Message: javax.servlet.ServletException: SRVE0207E: Uncaught initialization exception created by servlet
Error Code: 500
Target Servlet: MyApplication
Error Stack:
org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: file [C:\Program Files\IBM\WebSphere 7.0\AppServer\profiles\AppSrv01\installedApps\antonNode01Cell\MyApplication-1_0_30_BUILD-SNAPSHOT_war.ear\MyApplication-1.0.30.BUILD-SNAPSHOT.war\WEB-INF\classes\com\transoftinc\vlm\myapp\annotations\CSV.class]; nested exception is java.security.AccessControlException: Access denied (java.lang.RuntimePermission accessDeclaredMembers)
at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidateComponentProvider.java:237)
at org.springframework.context.annotation.ClassPathBeanDefinitionScanner.doScan(ClassPathBeanDefinitionScanner.java:204)
at org.springframework.context.annotation.ComponentScanBeanDefinitionParser.parse(ComponentScanBeanDefinitionParser.java:84)
at org.springframework.beans.factory.xml.NamespaceHandlerSupport.parse(NamespaceHandlerSupport.java:73)
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1335)
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1325)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:135)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:93)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:493)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:390)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:334)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:302)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:143)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:178)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:149)
at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:124)
at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:93)
at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:130)
at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:467)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:397)
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:197)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47)
at com.ibm.ws.webcontainer.webapp.WebApp.notifyServletContextCreated(WebApp.java:1708)
at com.ibm.ws.webcontainer.webapp.WebApp.commonInitializationFinish(WebApp.java:381)
at com.ibm.ws.webcontainer.webapp.WebAppImpl.initialize(WebAppImpl.java:299)
...
I believe the problem is security settings for the application. (Or the absence of them.) Normally, Websphere expects a was.policy file to be included in the EAR, which defines these settings. However, because I am deploying a WAR – there is no apparent way to supply that file. If I drop it into either of the two META-INF directories in my application – the error is the same. As if, Websphere was not finding the was.policy file.
My was.policy file:
grant codeBase "file:${application}" {
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.security.AllPermission;
};
grant codeBase "file:${jars}" {
permission java.security.AllPermission;
};
grant codeBase "file:${connectorComponent}" {
permission java.security.AllPermission;
};
grant codeBase "file:${webComponent}" {
permission java.security.AllPermission;
};
grant codeBase "file:${ejbComponent}" {
permission java.security.AllPermission;
};
Question:
How can I define security settings for my application?
And really, my goal is just to give all permissions and move on. I hope this is possible somehow…
I believe META-INF/was.policy is only supported for EARs, not standalone WARs. Suggestions: