Policies in Java 2

Home Up Search Java 2 API C++ Resources

Java 2 strengthens the security barriers around applications and applets over that of earlier versions.   It is now harder to bypass the security lock-outs when running programs that communicate over the Internet.

Java has a centralized "policy"  framework that  determines what permissions programs are granted.  These permissions are stored in ASCII text policy files.   There are two main policy files:

  1. java.policy - this is the main default policy file.
  2. .java.policy (note that the filename starts with a period, ".".)  - this holds user specific policy settings.

The java.policy file is found in the main directory for the JRE

  • For the JDK (Windows):   [jdk install directory]\jre\lib\security\java.policy (e.g. on the OC lab machines, in Windows, c:\progfile\jdk1.2.2\jre\lib\security\java.policy )
  • For JBuilder3: [JBuilder install directory]\java\jre\lib\security\java.policy  (e.g. in the OC lab machines: c:\progfile\jbuilder3\java\jre\lib\security\java.policy )  

The .java.policy file is found in the user's home directory

  • Windows NT:  [Windows install directory]\Profiles\[username]\.java.policy  (e.g. in the OC lav machines:  c:\winnt\Profiles\[username]\.java.policy ) 
  • Unix:  [user home directory]/.java.policy  (e.g. on OCCS, /urs/users/students/cs151stu/.java.policy) 

 The permissions in the policy files are set using the "policytool" program supplied with the JDK.

Using the PolicyTool Program

The following example will illustrate how to use the policytool program to create and modify the  user's .java.policy file.

To start...

  1. From the command prompt, run "policytool".
  2. If the .java.policy file exists, it will be loaded by default.   Otherwise, take note of the error message, as it will contain the pathname of where the system expects it to be.

If the .java.policy file does not already exist...

  1. Click on "File/Save as".
  2. Browse to the location where the file should be (see above). 
  3. Type in the filename ".java.policy"  (don't forget the leading period!).
  4. Click on "Save". 
  5. Add the "Codebase <ALL>" entry by clicking on "Add Polciy Entry".
  6. Don't fill in anything, just click "Done".
  7. Save the file again.

Note that Windows will not allow you to rename a file with a leading period in its name.   You must create the file from inside the policytool program.

If the .java.policy file already exists and is loaded...

To turn off all security settings...

  1. Highlight the "Codebase <ALL>" entry.
  2. Click on "Edit Policy Entry".
  3. Click on "Add Permission".
  4. From the "Permission:" drop-list, choose "AllPermission".
  5. Click "OK" then "Done".
  6. Save the file.

Note:  This setting leaves the computer without any Java security running at all and thus veryu vulnerable to attack.    It is recommended that this permission be deleted as soon as it is no longer needed.

To enable a program to connect to its own host machine...

  1. Highlight the "Codebase <ALL>" entry.
  2. Click on "Edit Policy Entry".
  3. Click on "Add Permission".
  4. From the "Permission:" drop-list, choose "SocketPermission".
  5. In the empty field to the right of the "Target" drop-list, type in "localhost:1024-" without the quotation marks.   This means that the permission applies to the "localhost" machine and all TCP/IP ports numbered 1024 and greater.
  6. From the "Actions" drop-list, choose "connect" and then "accept".
  7. Click "OK" then "Done".
  8. Save the file.