JDK 1.2+ file that controls what programs, weblets and Applets are allowed to do.
Totally Permission Policy File
A totally permissive policy file would look like this:
grant {
permission java.security.AllPermission;
};
Applet Control
Here are some policies for dealing with signed Applets.
I suspect Applets may still have to be signed, even when you grant them privilege. You may also have to grant permission
to the JRE itself and the ext classes. I have not done experiments to find out the grant
gotchas.
Default
Sun’s default policy file grants all permissions to the code living in the ext directory,
and a few measly permissions such as the right to read some system properties, to Applets in
general.
codebase
The codebase parameter describes where the class/jar files are that are being given permission.
The same code living in different places may have different permissions. The location of the files you are giving
permission to read or write go on the permission statement.
The exact meaning of a codebase value depends on the characters at the end.
| Codebase Magic Trailing Characters |
|---|
| Trailing Characters on Codebase |
Meaning |
|---|
| / |
matches all class files (not JAR files) in the specified directory. |
| /* |
matches all files (both class and JAR files) contained in that directory. |
| /- |
matches all files (both class and JAR files) in the directory and recursively all files in subdirectories contained
in that directory. |
Where are the policy files?
Exactly how many policy files you have and where they are is controlled by settings in the C:\Program Files\java\jre6\lib\security\java.security
or C:\Program Files\Java Web Start\java.security. The Opera browser has its own
policy file at C:\Program Files\Opera\classes\Opera.policy.
The default is to have:
- a single system-wide policy file C:\Program Files\java\jre6\lib\security\java.policy
in the {$java.home}\lib\security directory.
- a user-specific policy file user.home/.java.policy, e.g. "C:\Documents and Settings\
%username%\.java.policy". In Vista, look in "C:\Users\%username%\.java.policy".
The entries in C:\Program Files\java\jre6\lib\security\java.security
tell Java where to find your policy files. They look like this:
policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy
You can find out what directories java.home and user.home
point to by looking at the system properties. You can run wassup to
discover these system properties.
Then make sure the corresponding java.security file points to your {$java.home}\lib\security\java.policy
and user.home\.java.policy files.
Will The Real Policy File Please Stand Up.
Summarising: to find out which policy file(s) your browser is using, run wassup
and look for the restricted system property java.security.policy. By
default Wassup shows only safe properties. Remember to change the selection to include restricted
properities. If there is no such property, look for java.home. Use that to find lib\java.security.
Use that to find the system java.policy and user .java.policy files.
Recovery
If you accidentally delete your java.policy or .java.policy file,
Java may go nuts, refusing to give permission for anything. All certificates will be rejected. You can recreate it to
look like the default displayed above.
Learning More
Sun’s JDK Technote Guide on
Permission Names : available:
Sun’s JDK Technote Guide on
the policy files : available:
Sun’s JDK Technote Guide on
Permission Names : available:
2008-11-18 by Roedy Green ©1996-2009 Canadian Mind Products
Please email your feedback for publication, errors, omissions, broken/redirected link reports
