Microsoft SDK for Java

Cabinet File Permission Levels

The signcode utility enables you to sign a cabinet file at three different security levels, described in the following table. These permission levels work in conjunction with Microsoft® Internet Explorer zones to determine what an applet can do.

Security levels

High The High security level ensures that all Java code contained in the cabinet file will run in the Java "sandbox." High is the most stringent level of signing, and is equivalent to the same permissions that an unsigned applet is granted. Signing a cabinet file with High ensures that it will never be able to do more than it would in the sandbox, regardless of where the code comes from and what the user allows it to do. A cabinet file signed High will always be allowed to run without any user intervention.
Medium The Medium security level places the same restrictions on the applet as High, with a few exceptions. Applets signed with the Medium level request user-directed file I/O as well as the ability to store up to 1 MB of data in the client computer's scratch space. This storage can be accessed through the com.ms.io.clientstorage API. A cabinet file signed Medium will run without intervention in Low and Medium security zones. Because the requested permissions are greater than a High security zone can automatically give, a Medium signed cabinet file will prompt the user before allowing code to run in a High security zone.
Low The Low security level means the code in the cabinet file is requesting to be fully trusted. Only a zone set at Low security can grant this much access without first asking the user. The other two zones prompt the user before running the applet.

Cabinet Files and ActiveX

The security levels described previously apply to cabinet files that contain only Java code. When downloaded using the useslibrary parameter, however, cabinet files may contain both Java code and Microsoft® ActiveX® Controls. Because ActiveX controls must be fully trusted to run, they are treated differently from Java code.

For ActiveX controls to run when they are in a cabinet file that uses Java Permission signing, the signature must specify that the cabinet file contains ActiveX controls. You do this by specifying the LowX, MediumX, or HighX flags. These three flags have the same meaning as their respective flags without the X (Low, Medium, and High). However, if you include ActiveX controls in the cabinet file, they will be denied, allowed to run, or query the user, based on the security settings of the zone.

If your cabinet file has only ActiveX controls, do not use the Java signing method. Instead, use signcode without JavaSign.dll.

The following table summarizes the security levels to use based on the contents of the cabinet file.

Cabinet file contents Security level
Java code only High, Medium, or Low
Mixed Java code and ActiveX controls HighX, MediumX, or LowX
ActiveX controls only Do not sign with Java permissions; use signcode without JavaSign.dll

© 1999 Microsoft Corporation. All rights reserved. Terms of use.