Policy Tool -
Policy file creation and management tool
Create and modify an external policy configuration file that defines the installed Java security policy.
table of Contents
Introduction
Permissions and Policy File Overview
Authority
Default policy file and its location
Policy file content
Policy Tool Usage
Start Policy Tool
Create a new policy file
Open another policy file
Specify key warehouse
Add a new policy item
Add new permissions
Edit
Delete permission
Complete the addition of the strategy item
Edit strategy item
Delete strategy item
Save the policy file
Exit Policy Tool
View warning log
Example
Start the creation of the user policy file
Add a strategy item
Specify key warehouse
Add a strategy item with a SignedBy alias
Save user policy files
Exit Policy Tool
See also
Introduction
The Java runtime policy specifies what permissions can be obtained from the code from various sources, represented by the Policy object. The default policy is implemented from a static ASCII policy profile.
The policy file can be written by means of a plain text editor or by means of the graphical policy tool utility described in this document. Using the Policy Tool saves time, and makes users don't have to know the symptoms of the policy file, thereby reducing the occurrence of errors.
The permissions and policy files in this document describe what permissions are described and provide information about policy file content and default policy files. The section also provides a link to the detailed discussion of these topics.
The Policy Tool usage section describes how to use the Policy Tool to create and modify the policy file.
An example section provides a detailed example of the Policy Tool Usage.
See also the link to the relevant documentation in the section.
Permissions and Policy File Overview
This section briefly describes what permissions and provides information about policy file content and default policy files.
Authority
Permission represents access to system resources. To make the applet (or an application running with the security manager) can perform resource access, the corresponding permissions must be explicitly granted to the code to be accessed.
Permissions typically have a name (often referred to as "target name"), and in some cases, there is a sequence of one or more operations separated by a comma. For example, if you want to create a file named "ABC" in the / tmp / directory, you need to create file permissions with the target name "/ TMP / ABC" and action string "read" (it is java.io .Filepermission authority).
In the default policy implementation, the "Policy Item" in the policy configuration file (sometimes referred to as "Authorization" must be granted to try to read the file. You can create such an item using the Policy Tool in this file.
Some tables included in JDK 1.2 describe the type of built-in JDK 1.2 permissions and discuss the level of danger to grant a variety of permissions. Another table contained in this document shows the JDK 1.2 method that requires permission to take effect to successfully work, and each method lists the required permissions.
Default policy file and its location
By default, there is only one full system policy file, and an optional user policy file.
The default location of the system policy file is
Java.home / lib / security / java.policy
Among them, java.home represents the JDK installation directory.
The default location of the user policy file is located
User.home / .java.policy
Where user.home represents the user's host directory.
When the policy is initialized, first load the system policy and add a user policy. If there is no system policy without a user policy, use a built-in policy. This built-in strategy is the same as the initial sandbox strategy.
The policy file location is specified in the security properties file, the file is located
Java.home / lib / security / java.security
Specify the policy file position as the value of the property, its name has the following form: policy.url.n
Where n represents numbers. Users can specify each attribute value in the following forms of statement:
Policy.url.n = URL
Where the URL is an URL description. For example, the default policy file (sometimes referred to as "system" and "user policy file) in the security attribute file is
Policy.url.1 = file: $ {java.home} /lib/security/java.policy
Policy.url.2 = file: $ {user.home} /. java.policy
Note: When you are in the policy file or security properties file
$ {some.property}
When such a string, it will be extended to the value of the specified system properties. E.g:
$ {java.home}
Indicates the value of the java.home property of the JDK installation directory.
The "policy.expandproperties" attribute value control in the security properties file is controlled to allow attribute extensions. If this property value is true (default), it is allowed.
In fact, users can specify multiple URLs in the security properties file (including "http: //" forms, all specified policy files will be loaded. You can also comment out or change the second URL to prohibit reading the default user policy file.
The algorithm starts from policy.url.1 and is increasing until the URL is not found. Therefore, if you have Policy.url.1 and Policy.url.3, it will never read policy.url.3.
When the application is called, you can specify an additional or additional policy file. This can be done by means of the "-djava.security.policy command line parameter, which sets the value of the java.security.policy property. For example, if you type the following statement, the PURL is the URL that specifies the location of the policy file, and the URL specified policy file is loaded outside the policy file specified in the secure properties file.
Java -djava.security.manager -djava.security.policy = PURL SomeApp
("-Djava.security.manager" parameter ensures that the default security manager is installed so that the application can be checked. If the application SomeApp is installed, this parameter is not required.)
If you typing the following statement (using a double equity), only the specified policy file is used; and all other policy files will be ignored.
Java -djava.security.manager -djava.security.policy == PURL SomeApp
If you want to pass the policy file to AppletViewer, please use the "-djava.security.policy" parameters as follows:
AppletViewer -j-djava.security.policy = purl myapplet
Note: If the "Policy.AllowsystemProperty" property in the security properties file is set to false, the "-djava.security" policy file value (for the Java and AppletViewer commands) will be ignored. The default is TRUE.
Policy file content
Policy profile (referred to as policy file) indicates where code from the specified code source can get.
There are many items in the policy configuration file. You can include a unique "Key Warehouse" item, including zero or more "policy" items. The key repository is a database of private key and its related digital certificate (such as the X.509 certificate chain of the corresponding public key). Use the KeyTool utility to create and manage key warehouses. The function of the key repository specified in the policy configuration file is to query the name of the signature (if any) specified by the authorization of the file. The role of the public key is the verification of digital signatures for signing the code.
If any policy item specifies the signature alias, the key warehouse item must appear in the policy configuration file.
At this point, there can only be one key warehouse item in the policy file. The key warehouse item specifies the URL position of the key repository, and sometimes specifies the key warehouse type. The URL relative to the position of the policy file. Thus, if the policy file is specified in the safe attribute file:
Policy.url.1 = http://foo.bar.com/blah/some.policy
Moreover, the policy file contains a key warehouse item that is ".keyStore", the key warehouse will be loaded from the following position:
http://foo.bar.com/blah/.keystore
The URL can also be an absolute URL.
Key Warehouse Type Defines the storage and data format of key warehouse information, and algorithms for protecting private keys and key warehouses in key warehouses. If you do not specify a type, assume that the specified "KeyStore.Type" value specified in the security properties file is specified. The default value of this property is "JKS", specifies the type of dedicated key warehouse supported by Sun Microsystems.
It is generally considered that the execution code comes from a specific "code source". The code source can include not only the CodeBase location (URL) started from the Applet (or application), but also a reference to one or more (symbol) alias, the key reply from the key warehouse The key warehouse item contains the public key corresponding to the private key of the signature.
Each policy item in the policy file contains the following items:
Optional CodeBase item, specify the URL position originating from the code, the optional SIGNEDBY item, specifies an alias from the key repository, the role is to reference the private key to sign the code, and one or more Personal rights, specify how permissions grants the code from the specified codebase and signed by the specified SIGNEDBY alias.
Policy Tool Usage
Start Policy Tool
To start the Policy Tool, just type the following command in the command line.
Policytool
This will call up the "Policy Tool" window.
Whenever you start a Policy Tool, Policy Tool will try to fill in this window with policy information from sometimes called "User Policy File". By default, the user policy file is file named .java.policy in the host directory. If the Policy Tool is not available to the user policy file, it will report the situation and display the blank "Policy Tool" window (ie, the title and button but there are no data):
You can then continue to open any policy file you want to use or create a new policy file, the method is to add a policy item (you can also specify the key warehouse) and save the file.
When you run the Policy Tool for the first time, you will not have a user policy file (unless you have created a user policy file manually).
Create a new policy file
To create a new policy file, select the new command under the File menu. This operation will turn off the currently open policy file (if necessary, you will first prompt you before shutting down) and call up the new Policy Tool window, which is the title and button but there is no data. Please note: You don't have to do it when you run the Policy Tool. Because the tool tries to open the user policy file and the user policy file has not exists (unless you have manually created), the tool will call the window without data.
Once you have a new Policy Tool window, you can create a policy entry and specify a key repository (if any policy item specifies the key warehouse alias). You can save the policy file at any time.
Open another policy file
To handle another policy file instead of the currently processed file (if any), select the Open command under the File menu.
This will close the currently open policy file (if necessary, you will first prompt whether the file will be saved before shutting down) and render the "Open" dialog box, you can use the dialog to browse the directory structure until you enter the included to process The directory of the policy file. Select this file and select the OK button.
Subsequently, the "Policy Tool" window will fill in the information from the policy file, including the policy file name, key warehouse URL (if any), and the CodeBase and Signedby part of each policy item in the policy file.
Specify key warehouse
To specify a key repository containing key information for the alias specified in the SignedBy section of the policy item, select the change keystore command under the EDIT menu.
This will call a dialog box that can specify a new key warehouse URL in the dialog, or you can specify the key warehouse type.
For example, to specify a key repository named "MyKeyStore" in the / Tests / Directory, type the following file: URL to type the text box for the "New KeyStore URL".
FILE: / TESTS / MyKeyStore
To specify the key warehouse type as "JKS" (a dedicated key warehouse type supported by Sun Microsystems), type the following in the text box for the label "New KeyStore Type".
JKS
When you complete the specified key warehouse URL and type (if any), select OK (or select Cancel to cancel the operation). If there is no cancellation, the key warehouse URL and type are now filled in the text box for "KeyStore:".
Add a new policy item
To add a new policy entry, select the Add Policy Entry button in the Men's Policy Tool window.
This will call the Policy Items dialog box:
Using this dialog, you can specify
Optional CodeBase item indicates the URL position originating from the code. For example, to specify the code from the local / javasoft / tests / directory, type the following file URL into the text box for the CodeBase: File: / JavaSoft / Tests /
Optional Signedby items indicate an alias from the key repository, the role is to reference the private key for signature people to sign the code. For example, to specify the "duke" alias, just type the following in the text box of the label as Signedby: Duke
One or more permission items indicate how permissions will grant code from the code source indicated from the CodeBase and SignedBY values (or if this value is not specified, indicate what permission to grant other code). See Adding new permissions. The SignedBY value is a string alias, which is mapped to the public key set associated with the signature (using the key warehouse). The role of these keys is whether the class from the specified code source is indeed signing by these signature people.
The SignedBY value can be a comma-separated string, which can contain multiple signs' names, such as "ADAM, EVE, Charles", which means "signing from ADAM and EVE and Charles" (ie, its relationship is and, Not OR).
The SignedBY value is optional because: If the value is ignored, "any signature person", in other words, whether the code is not a matter of signing. Similarly, if there is no CodeBase entry, "any code" is indicated; the code originates is independent.
Therefore, if there is no CodeBase entry, all the code signed by the specified alias will be granted the specified permissions. If there is no Signedby item, all code from the specified CodeBase will be granted the specified permissions, regardless of whether the code has been signed, and who is signed. If there is no CodeBase entry, there is no SIGNEDBY item, all code will be granted the specified permissions.
Note: The exact meaning of the CodeBase value depends on the character at the end. The CodeBase ending with "/" matches all class files (instead of jar files) in the specified directory. CodeBase ending with "/ *" matches all files in this directory (including both the class files and JAR files). All files in the CodeBase matching directory (including class files and JAR files) are included, and all files in the subdirectory included in the directory are recursively matched.
Add new permissions
To add new permissions, select the Add Permission button in the Policy Entry dialog. This will call out the "Permissions" dialog:
To add permissions:
Type or select the permissions type. "Permission:" The drop-down list contains a list of built-in permission types. If you want some type, select from the list, subsequent permissions type names will appear in the text box on the right of the drop-down list. If you want to specify the type of permissions defined by you or others, type this permission type in the text box. Type or select the permission target name. If you select a built-in permissions from the "Permission:" drop-down list, and the permission of this type has a specific target name value, the "TARGET NAME:" drop-down list will contain a list of these values, you can choose from it. In some cases, the target name may be widely valued, but some built-in target name specifications have special meaning, such a target name will appear in the drop-down list. For example, the "<< All Files >>" special target name will appear in the "File Permission" list. To specify a target name not in the drop-down list, type the target name directly in the Target Name: drop-down list. For example, you want to specify a file named Data in / javasoft / pttest / directory, type / javasoft / pttest / data
Type or select one or more action (if the action is related). Some privileges only have a target name, but there is no action. For such permissions, keep the text box on the right side of the drop-down list. (For this type of built-in permissions, it will automatically be gray as gray). For permissions that need to specify actions, type a comma-separated action list in the text box, or select actions from the drop-down list. For example, to specify the read and write access to the file specified by "File Permission", first select READ (or Write, "in the list. Word "read" will appear in the text box. Then select WRITE to attach the word "Write", and the two words are separated from the space. If necessary, type the SignedBy alias in the text box on the right side of the "Signed By" tag. The SignedBY value of the right item is optional. If there is a signedby value, it indicates that it is a signed permission. That is to say, in order to grant permissions, the authority class itself must be signed by the home. When the specification of the permission information, select the OK button (or cancel the action). New permissions appear in a row of the Policy Entry dialog.
Then, additional permissions can be added in accordance with the same step. Or you can also edit existing permissions or delete permissions.
Edit
To edit an existing permissions, select the line where the permissions in the "Policy Entry" dialog box, then select the Edit Permission button. Alternatively, you can simply double click on the line where the permissions are.
This will call the "Permission" dialog box as the dialog box that appears when adding new permissions, and the only difference is that existing permission information has been filled in the dialog box here. To change this information, re-select or replace the information in the text box from the drop-down list.
After completing, select the OK button (or the Cancel button to cancel the change). The "Policy Entry" dialog box will display the modified permissions.
Delete permission
To delete an existing permissions, select the row where the permissions in the "Policy Entry" dialog box, then select the Remove Permission button.
Complete the addition of the strategy item
After completing the Add Policy item, select the DONE button in the "Policy Entry" dialog, or the CANCEL button to cancel the action.
If DONE is selected, the "Policy Tool" window now contains rows that represent the policy item. This line is only included with CodeBase and SignedBY information (if any). If you do not specify CodeBase and SignedBy in the "Policy Entry" dialog, it is just the appearance.
Codebase
.
Note: If the policy item contains the SignedBy alias in the key repository, a warning is displayed when the policy item is turned off. Please select OK and make a record to create such an alias, and if the alias is wrong, you should edit the policy item to fix the alias.
Edit strategy item
To edit an existing policy item, select the line where the item is located in the primary "policy tool" window, then select the Edit Policy Entry button. Alternatively, you can simply double-click the row. This will call the same type of "Policy" dialog box as the dialog box that appears when adding a new policy item, and the only difference is that the information of the existing policy item has been filled in the dialog box here. To change this information, simply retrofit information (CodeBase and SignedBY) or add, delete, or modify permissions. After completing, select the DONE button (or the Cancel button to cancel the operation). Delete strategy item
To delete the policy item in the policy file, select the line where the item is located in the primary "policy tool" window, then select the Remove Policy Entry button.
Subsequently, a complete strategy item is displayed, you can select OK to delete the item or select Cancel to keep the policy item.
Save the policy file
To save your changes to an existing policy file, simply select the Save command under the File menu.
To save the created new policy file, or copy the existing policy file to a new policy file with different names, select the Save as command under the File menu. This will call the "Save As" dialog.
Browse the directory structure until you reach the directory you want to save the policy file. Type the desired file name and select the OK button. The policy file is saved, and its name and path are displayed in the text box for the label as "Policy File:".
Exit Policy Tool
To quit the Policy Tool, select the exit command under the File menu.
View warning log
If the Policy Tool reports that the warning has been deposited in the warning log, you can view the log by selecting the View Warning Log command under the EDIT menu.
For example, if the key repository URL containing the policy file specifies the key warehouse that does not exist, such a warning is obtained in a variety of situations, such as opening a file. Even if there is a warning, the policy file can still be processed.
Example
The following examples show how
Start the creation of the User Policy file to add policy items to specify the key repository to add policy items to the signed code to save the user policy file, and exit the Policy Tool
Start the creation of the user policy file
Initially, there was no user policy file (unless one manually created). Thus, To create a user policy file, first type the following command in the command line to start the Policy Tool.
Policytool
This will call up the "Policy Tool" window.
Whenever you start a Policy Tool, Policy Tool will try to fill in this window with policy information from sometimes called "User Policy File". By default, the user policy file is file named .java.policy in the host directory. If the Policy Tool is not able to find the user policy file, it will report the situation and display the empty "Policy Tool" window (ie, the title and buttons but there are no data window):
You can now create a user policy file by adding a project and saving files.
Add a strategy item
Assume that you want to grant the permissions of the MyData files that read the / temp / data / directory on the Tests / Directory. To do this, you should first select the Add Policy Entry button in the main "policy tool" window.
This will call the "Policy Entry" dialog:
Use this dialog to type file URL in the CodeBase text box
FILE: / TESTS /
.
Keep the SignedBY text box is empty because you don't need to sign your code.
To add permissions, select the Add Permission button. This will call the "Permissions" dialog: To add permissions:
Select "File Permission" in the PERMISSION: "drop-down list. Now, a complete permissions type name (java.io.filepermission) appears in the text box on the right of the drop-down list. Type the following path in the text box on the list of the label "Target Name:": / Temp / Data / MyData
Use "Read" dropped in the "Actions:" drop-down list to specify read rights.
Now, the "Permission" dialog box is as follows:
After completing the specified permission information, select the OK button. New permissions appear in a row of the Policy Entry dialog.
Now, specify the policy item, so select the Done button. Now, there is a line that represents the policy item in the "Policy Tool" window. This line only contains the CodeBase value:
Specify key warehouse
Suppose you would also want to grant read rights of all files in the / TMP / directory from the URL "http://java.sun.com/" code that is signed by the alias "Duke". Assume that you have to give such code permissions to initialize the socket connection to any host, you need to complete two things:
Specifies the key repository containing alias and creates a policy entry to grant permissions.
To specify a key repository that contains key information for the alias specified in any SignedBy section of the policy item, select the Change KeyStore command under the Edit menu of the main "policy tool" window.
This will call a dialog box that can specify a new key warehouse URL in the dialog, or you can specify the key warehouse type.
For example, to specify a key repository named "MyKeyStore" in the / Tests / Directory, type the following file: URL to type text boxes marked with "New KeyStore URL:
FILE: / TESTS / MyKeyStore
If the key repository type is the default type, if the "KeyStore.Type" attribute value in the security properties file is specified, you do not have to type the "New KeyStore Type" value. The default value of this attribute is "JKS" (SUN Microsystems supported by the dedicated key warehouse type).
To specify a key warehouse type, type its value into the text box labeled as "New KeyStore Type". For example, you want to specify the key warehouse type is the "JKS" type, then type
JKS
the result is:
When you complete the specified key warehouse URL and the type, select OK. Now, the specified URL and type are filled in the text box as "KeyStore:".
Next, you need to specify the strategy item:
Add a strategy item with a SignedBy alias
Select the Add Policy Entry button in the main "policy tool" window. This will call the "Policy Entry" dialog. Turn the following path to the CodeBase text box:
http://java.sun.com/*
The "*" indicates that the class files and jar files in the specified directory match the codebase.
Now, type the following alias into the Signedby text box:
Duke
To add the first permissions, select the Add Permission button. This will call the "Permissions" dialog. Please do the following
Select "File Permission" in the "File Permission" drop-down list. Now, the complete permissions type name (java.io.filepermission) appears in the text box on the right of the drop-down list. Type the following characters into the text box labeled "target name:" list to specify all files in the specified / TMP / directory: / tmp / * by selecting "Read" drop-down list to specify Reading rights.
Now, the "Permissions" dialog box is shown below:
Select the OK button. New permissions appear in a row of the Policy Entry dialog.
Other permissions are now added now. Please select the Add Permission button. In the "Permissions" dialog, do the following
Select "Socket Permission" in the PERMISSION: "drop-down list. Now, a complete permissions type name (java.net.socketpermission) appears in the text box on the right of the drop-down list. Turn the following characters into the text box labeled the right side of the Target Name: "to specify all hosts: *
Specify the permissions for the connection by selecting "Connect" in the drop-down list.
Now, the "Permissions" dialog box is shown below:
Select the OK button. New permissions appear in a row of the Policy Entry dialog.
Now complete the specification of the policy item, so select the Done button in the Policy Entry dialog. Now, the "Policy Tool" window contains rows that represent the policy item, which shows the CodeBase and SignedBY values.
Save user policy files
Assume that you want to save the created policy file with the default name (.java.policy) (Host Catalog).
To save a user policy file, select the Save as command under the File menu. This will call the "Save As" dialog.
Browse the directory structure until the host directory is reached. Type
.java.policy
(Please note the initial phase) as the file name, then select the OK button. The policy file is saved, its name and path are displayed in the text box labeled "Policy File".
Exit Policy Tool
To quit the Policy Tool, select the exit command under the File menu.
See also
JDK 1.2 Permissions Default Policy Information and Policy File Syntax KeyTool Tool Document Security Architecture Specification JAVA Tutorial JDK 1.2 Security: Safety Tools (including Policy Tool) Method