The CICS-supplied enterprise beans policy file, dfjejbpl.policy

The CICS-supplied enterprise beans policy file, dfjejbpl.policy, is based on the security policy recommended in the Sun Microsystems Enterprise JavaBeans Specification, Version 1.1, which is available at http://www.javasoft.com/products/ejb. The sample policy file is shown in Figure 1.

In Java 2, the security policy is defined in terms of protection domains which map permissions to code sources. A protection domain contains a code source with a set of associated permissions.

The CICS-supplied enterprise beans policy file defines two protection domains, which do the following:
  1. Grants the required permissions to the CICS enterprise beans Container code source for execution. See the 'grant codeBase' block in Figure 1.
  2. Grants any code source only the permissions outlined in the Enterprise JavaBeans specification, Version 1. See the default 'grant' block in Figure 1:
    • To allow anyone to initiate a print job request.
    • To allow outbound connection on any TCP/IP ports.
    • To allow all system properties to be read.

Remember that if you want to use JDBC or SQLJ from enterprise beans, you need to amend the CICS-supplied enterprise beans policy file to grant permissions to the JDBC driver. The CICS® DB2® Guide tells you how to do this.

Figure 1. Sample CICS enterprise beans security policy
 // permissions granted to CICS enterprise beans Container codesource protection
 //domain
    grant codeBase "file:usr/lpp/cicsts/cicsts31//-" {  
      permission java.security.AllPermission;
    }; 

// default EJB 1.1 permissions granted to all protection domains 
    grant {   
      // allows anyone to initiate a print job request  
      permission java.lang.RuntimePermission "queuePrintJob"; 

      // allows outbound connection on any TCP/IP ports  
      permission java.net.SocketPermission "*:0-65535", "connect"; 

      // allows anyone to read properties 
      permission java.util.PropertyPermission "*", "read"; 
    };