Manually Configuring Java EE Applications to Use OPSS 21-17 Typically, you would choose migrating policies with overwriting at redeploy when a new set of policies should replace existing policies. Note that if the optional parameter jps.policy.migration.validate.principal is needed, it must be set manually.

21.4.2.4 To Remove or Prevent the Removal of Application Policies

The removal of application policies at undeployment is limited since code source grants in the system policy are not removed. For details, see example in What Gets Removed and What Remains . The following matrix shows the setting that removes policies at undeployment: The following matrix shows the setting that prevents the removal of application policies at undeployment: What Gets Removed and What Remains Consider the application myApp, which has been configured for automatic migration and removal of policies. The following fragment of the application’s jazn-data.xml file packed in the application EAR file illustrates the application policies that are migrated when the application is deployed with Fusion Middleware Control and those that are and are not removed when the application is undeployed with Fusion Middleware Control: jazn-data policy-store applications -- The contents of the following element application is migrated to the element policy-store in domain system-jazn-data.xml; when myApp is undeployed with EM, it is removed from domain store -- application namemyAppname Table 21–5 Settings to Remove Policies Valid at undeploy JpsApplicationLifecycleListener Set jps.policystore.removal Not set default Note: The policies removed at undeploy are determined by the stripe that the application specified at deploy or redeploy. If an application is redeployed with a stripe specification different than the original one, then policies in that stripe the original are not removed. Table 21–6 Settings to Prevent the Removal of Policies Valid at undeploy JpsApplicationLifecycleListener Set jps.policystore.removal OFF Note: Deciding to set this parameter to OFF for a given application requires knowing, at the time the application has been deployed, whether the application stripe is shared by other applications. 21-18 Oracle Fusion Middleware Application Security Guide app-roles app-role classoracle.security.jps.service.policystore.SomeRoleclass nameapplicationDeveloperRolename display-nameapplication role applicationDeveloperRoledisplay-name members member classoracle.security.somePath.JpsXmlEnterpriseRoleImplclass namedevelopersname member members app-role app-roles jazn-policy grant grantee principals principal classoracle.security.jps.service.policystore.ApplicationRoleclass nameapplicationDeveloperRolename principal principals grantee permissions permission classoracle.security.jps.JpsPermissionclass nameloadPolicyname permission permissions grant jazn-policy application applications policy-store jazn-policy -- The following code-based application grant is migrated to the element jazn-policy in domain system-jazn-data.xml; when myApp is undeployed with EM, it is not removed from domain store -- grant grantee codesource urlfile:{domain.home}servers{weblogic.Name}Foo.ear-url codesource grantee permissions permission classoracle.security.jps.service.credstore.CredentialAccessPermissionclass namecontext=SYSTEM,mapName=,keyName=name actionsactions permission permissions grant jazn-policy jazn-data To summarize: in regards to what gets removed, the important points to remember are the following: