policy : Java Glossary

policy

JDK 1.2+ file that controls what programs, weblets and Applets are allowed to do.

A totally permissive policy file would look like this:

// Do what you will
grant {
permission java.security.AllPermission;
};

Here are some policies for dealing with Applets.

// The following requests that the RSA-signature be examined;
// that there should be a dialog prompt;
// if denied, no privileges;
// if granted, full privileges.
grant { };

// The following requests that the RSA-signature be ignored;
// That the policy file be used; no privileges.
grant {
permission java.lang.RuntimePermission "usePolicy";
};

// The following requests that for code from mindprod.com,
// that the RSA-signature be ignored;
// that a policy file be used;
// The Applet does not need to be signed at all. Not even a jar is required.
// The raw class file could be deployed directly.
// that universal-connect privileges be given to code in this codeBase.
grant codeBase "http://www.mindprod.com/-" {
permission java.lang.RuntimePermission "usePolicy";
permission java.net.SocketPermission "*", "connect";
};

// The following requests that for code from mindprod.com
// that the RSA-signature be examined;
// there be a dialog prompt;
// if denied, only policy file permissions are granted;
// if granted, all permissions granted.
grant codeBase "http://www.mindprod.com/-" {
permission java.net.SocketPermission "*", "connect";
};

// The following grants the code in
// the local Opera.jar
// the right to do whatever it wants.
grant codeBase "file:/C:/Program Files/Opera/classes/Opera.jar"
{ permission java.security.AllPermission; };

// The following grants signed Applets the
// the right to use the sun.* classes and the right to read all files.
grant
{ permission java.lang.RuntimePermission "accessClassInPackage.sun.*";
permission java.io.FilePermission "<<all files>>", "read"; };

// The following grants the code in
// the ext directory jars
// the right to do whatever it wants.
grant codeBase "file:${java.home}/lib/ext/*"
{ permission java.security.AllPermission; };

Sun’s default policy file grants all permissions to the code living in the ext directory, and a few measly permissions such as the right to read some system properties, to Applets in general.

Where are the policy files?

Exactly how many policy files you have and where they are is controlled by settings in the C:\Program Files\java\jre1.6.0_06\lib\security\java.security or C:\Program Files\Java Web Start\java.security. The Opera browser has its own policy file at C:\Program Files\Opera\classes\Opera.policy.

The default is to have:

a single system-wide policy file J:\Program Files\java\jdk1.6.0_06\jre\lib\security\java.policy in the java.home\lib\security directory.
a user-specific policy file user.home/.java.policy, e.g. "C:\Documents and Settings\%username%\.java.policy". In Vista, look in "C:\Users\%username%\.java.policy".

The entries in C:\Program Files\java\jre1.6.0_06\lib\security\java.security tell Java where to find your policy files. They look like this:

policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy

You can find out what directories java.home and user.home point to by looking at the system properties. You can run wassup to discover these system properties.

Then make sure the corresponding java.security file points to your java.home\lib\security\java.policy and user.home\.java.policy files.

Will The Real Policy File Please Stand Up.

Summarising: to find out which policy file(s) your browser is using, run wassup and look for the restricted system property java.security.policy. By default Wassup shows only safe properties. Remember to change the selection to include restricted properities. If there is no such property, look for java.home. Use that to find lib\java.security. Use that to find the system java.policy and user .java.policy files.

Recovery

If you accidentally delete your java.policy or .java.policy file, Java may go nuts, refusing to give permission for anything. All certificates will be rejected. You can recreate it to look like this one below.

// Standard extensions get all permissions by default

grant codeBase "file:${java.home}/lib/ext/*" {
permission java.security.AllPermission;
};

// default permissions granted to all domains

grant {
// Allows any thread to stop itself using the java.lang.Thread.stop()
// method that takes no argument.
// Note that this permission is granted by default only to remain
// backwards compatible.
// It is strongly recommended that you either remove this permission
// from this policy file or further restrict it to code sources
// that you specify, because Thread.stop() is potentially unsafe.
// See "http://java.sun.com/notes" for more information.
permission java.lang.RuntimePermission "stopThread";

// allows anyone to listen on un-privileged ports
permission java.net.SocketPermission "localhost:1024-", "listen";

// "standard" properies that can be read by anyone

permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";

permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";

permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
};

Learning More

Sun’s JDK Technote Guide on Pernmission Names : available:

on the web at java.Sun.com
in the JDK 1.6.0_06 on your local J: drive.

Sun’s JDK Technote Guide on the policy files : available:

on the web at java.Sun.com
in the JDK 1.6.0_06 on your local J: drive.

Sun’s Developer On-line Training on AWT Permissions

Sun’s JDK Technote Guide on Permission Names : available:

on the web at java.Sun.com
in the JDK 1.6.0_06 on your local J: drive.

java.policy Finder/Viewer
Mitch Gallant’s site for more complex examples
permission
policytool

	Please email your feedback for publication, errors, omissions, broken/redirected link reports and suggestions to improve this page to Roedy Green :
	Canadian Mind Products
	mindprod.com IP:[65.110.21.43]
	Your face IP:[38.103.63.18]	The information on this page is for non-military use only.
	You are visitor number 42,502.	Military use includes use by defence contractors.
	You can get a fresh copy of this page from:	or possibly from your local J: drive (Java virtual drive/Mindprod website mirror)
	http://mindprod.com/jgloss/policyfile.html	J:\mindprod\jgloss\policyfile.html