JDK 1.2+ file that controls what programs, weblets and Applets are allowed
to do.
Totally Permission Policy File
A totally permissive policy file would look like this:
grant {
permission java.security.AllPermission;
};
Applet Control
Here are some policies for dealing with signed Applets.
I suspect Applets may still have to be signed, even when you grant them
privilege. You may also have to grant permission to the JRE itself and the ext
classes. I have not done experiments to find out the grant
gotchas.
Default
Sun’s default policy file grants all permissions to the code living in the ext
directory, and a few measly permissions such as the right to read some system
properties, to Applets in general.
codebase
The codebase parameter describes where the class/jar
files are that are being given permission. The same code living in different
places may have different permissions. The location of the files you are giving
permission to read or write go on the permission
statement.
The exact meaning of a codebase value depends on the
characters at the end.
| Codebase Magic Trailing Characters |
|---|
| Trailing Characters on Codebase |
Meaning |
|---|
| / |
matches all class files (not JAR files) in the specified directory. |
| /* |
matches all files (both class and JAR files) contained in that directory. |
| /- |
matches all files (both class and JAR files) in the directory and
recursively all files in subdirectories contained in that directory. |
Where are the policy files?
Exactly how many policy files you have and where they are is controlled by
settings in the C:\Program Files\java\jre6\lib\security\java.security
or C:\Program Files\Java Web Start\java.security.
The Opera browser has its own policy file at C:\Program Files\Opera\classes\Opera.policy.
The default is to have:
- a single system-wide policy file C:\Program Files\java\jre6\lib\security\java.policy
in the {$java.home}\lib\security directory.
- a user-specific policy file user.home/.java.policy,
e.g. "C:\Documents and Settings\%username%\.java.policy".
In Vista, look in "C:\Users\%username%\.java.policy".
The entries in C:\Program Files\java\jre6\lib\security\java.security
tell Java where to find your policy files. They look like this:
policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy
You can find out what directories java.home and user.home
point to by looking at the system properties. You can run wassup
to discover these system properties.
Then make sure the corresponding java.security file
points to your {$java.home}\lib\security\java.policy
and user.home\.java.policy files.
Will The Real Policy File Please Stand Up.
Summarising: to find out which policy file(s) your browser is using, run wassup
and look for the restricted system property java.security.policy.
By default Wassup shows only safe properties.
Remember to change the selection to include restricted
properities. If there is no such property, look for java.home.
Use that to find lib\java.security. Use that to find
the system java.policy and user .java.policy
files.
Recovery
If you accidentally delete your java.policy or .java.policy
file, Java may go nuts, refusing to give permission for anything. All
certificates will be rejected. You can recreate it to look like the default
displayed above.
Learning More
Sun’s JDK Technote Guide on
Permission Names : available:
Sun’s JDK Technote Guide on
the policy files : available:
Sun’s JDK Technote Guide on
Permission Names : available:
2008-11-18 by Roedy Green ©1996-2009 Canadian Mind Products
Please email your feedback for publication, errors, omissions, broken/redirected link reports
