Microsoft SDK for Java

Permission Model

The permission model for trust-based security supports a useful set of parameterized and non-parameterized permissions that can be individually granted or denied for a particular zone by an administrator. To reduce the number of options that administrators must specify in common cases, the administrative user interface provides several predefined permission sets that can be applied. These predefined permission sets, called High, Medium, and Low, represent the most restrictive to the least restrictive set of permissions, respectively.

Permissions can only be defined by system libraries with the highest degree of trust. This solves the problem of having to administer a potentially unlimited set of permission requests with uncertain, application-defined meanings.

Predefined Permissions

The following list describes each permission defined by the permission model and lists the parameters available for limiting each permission.

Client Storage Permission

Determines whether applets can access scratch space. Parameters for this permission include the size of the scratch space and flags that indicate whether storage is exempt from global storage limits and whether roaming files can be created. For more information, see the Client Storage Permission class.

Execution Permission

Determines which programs can be executed on the client's machine. Parameters for this permission include a pattern that indicates which applications to include or exclude from the permission. For more information, see the Execution Permission class.

File I/O Permission

Determines whether applets can perform file operations. Parameters include the type of access (read, write, or delete), the file name or a pattern that indicates a group of files, and a flag that specifies whether the operation is denied or allowed. For more information, see the FileIOPermission class.

Multimedia Permission

Controls access to extended multimedia capability. This permission has no parameters. For more information, see the MultimediaPermission class.

Network I/O Permission

Controls the ability to perform networking components for three types of network operations: connect, bind, and multicast. Parameters include the network operation type (connect, bind, or multicast), a flag that indicates whether to allow or deny the operation, a pattern that indicates which hosts or ports to include or exclude, Internet Protocol (IP) addresses, port ranges, and flags that indicate whether you can bind to a non-file:// URL codebase or to a file://URL codebase. For more information, see the NetIoPermission class.

Printing Permission

Controls whether an applet is allowed to print. This permission has no parameters. For more information, see the PrintingPermission class.

Property Permission

Controls the ability to access and manipulate the global system properties. Parameters include a flag that indicates whether access to all properties is turned on or off, a pattern that indicates which properties are included or excluded, and suffixes indicating properties that could be accessed under certain conditions. For more information, see the PropertyPermission class.

Reflection Permission

Determines whether access to the java.lang.reflect API is permitted. Parameters include a loader type (same loader, different loader, system loader, all, or none) and an access type (public or declared). For more information, see the ReflectionPermission class.

Registry Permission

Controls the ability to access the registry. Parameters include the type of access (read, write, open, delete, or create) and a pattern that indicates which keys/values are included or excluded from access. For more information, see the RegistryPermission class.

Security Permission

Controls access to the java.lang.security package. This permission has no parameters. For more information, see the SecurityPermission class.

System Streams Permission

Controls the ability to change the values of the system streams java.lang.System.in, java.lang.System.out, and java.lang.System.err. Parameters include flags that indicate whether System.in, System.out, and System.err can be set. For more information, see the SystemStreamsPermission class.

Thread Permission

Controls the ability to create and manipulate threads and thread groups. Parameters include a thread or thread group object, a flag that indicates whether unrestricted thread access is allowed, and a flag that indicates whether unrestricted thread group access is allowed. For more information, see the ThreadPermission class.

User File I/O Permission

Determines whether user-directed file I/O can be performed. Parameters for this permission include the access type (read or write) and a file name or a pattern that indicates which files to allow access to. For more information, see the UserFileIOPermission class.

User Interface Permission

Controls the ability to create top-level windows, access the system clipboard, create file dialog boxes, and access the AWT event queue. Parameters for this permission include flags that indicate access to one or more of the enhanced UI functions. For more information, see the UIPermission class.

Defining Applet Permissions

The following sets of permissions correspond to the standard Java sandbox:

You can choose these permissions or you can set up an even more restrictive set of permissions for applets. Choosing a less restrictive set is not recommended.

Defining Custom Permissions

Internet service providers or personal users might want to define custom permissions. Permission objects can be defined to protect some functionality in your code against misuse. Custom permissions can be added to the digital signature so that the user can decide (via a dialog box) whether or not to accept the risk. To add custom permissions to the digital signature, you specify the requested permissions in an .ini file that is used by the signcode tool when signing the cabinet file. For more information about using the permission .ini file with the signcode tool, see Signing a Cabinet File with Java Permissions and the Sample Permissions .INI File.

© 1999 Microsoft Corporation. All rights reserved. Terms of use.