Defining Permission Sets Using Cprmedit
The cprmedit tool enables you to edit Java permissions for specific security zones using a graphical user interface. The permissions set by cprmedit are recognized by Microsoft Internet Explorer 4.0 or later. The user interface presented by the cprmedit tool is similar to the dialog boxes in Internet Explorer 4.01 that enable administrators to set security options.
To run the Custom Permission Editor, make sure that the %SDKDIR%\Bin directory is in your path, and then type cprmedit on the command line. The Custom Permission Editor dialog box will appear. To edit the permissions for a particular zone, choose one of the zones listed in the drop-down list box. For each zone, there are three sets of permissions that you can edit: Unsigned Permissions, Trusted Signed Permissions, and Untrusted Signed Permissions. Each permission set has its own area in the dialog box, and each area contains check boxes and buttons that are used to define the group.
The following sections explain how to define a permission set.
Unsigned Permissions
Unsigned Permissions are permissions granted to unsigned content. To edit these permissions, select one of the following choices.
Unsigned Content is Fully Trusted |
Gives all permissions to unsigned content. This setting is not recommended because damaging content could be run on your computer. |
Edit |
Specifies a set of permissions to give to unsigned content. For more information, see Editing Permission Sets. |
Trusted Signed Permissions
Trusted Signed Permissions are permissions requested by signed content that do not require user approval. To edit these permissions, select one of the following choices.
Grant all Permissions Requested by Signed Content |
Gives signed content all requested permissions. This setting is not recommended. |
Edit |
Specifies a set of permissions to give to the Trusted Signed Permissions group. For more information, see Editing Permission Sets. |
Untrusted Signed Permissions
Untrusted Signed Permissions are permissions requested by signed content that require user approval or are absolutely denied. When editing the Untrusted Signed Permissions group, you must select one of the following options to indicate whether the user should be queried.
Ask for Approval of Untrusted Permissions |
Queries the user if signed content requests a permission set that is not a subset of the Trusted Signed Permissions group and is a subset of the Untrusted Signed Permissions group. If signed content requests any other permission set that is not a subset of the Trusted Signed Permissions group, the content is automatically refused. |
Refuse Untrusted Permissions Without Asking |
Automatically refuses signed content requesting a permission that is not a subset of the Trusted Signed Permissions group and is a subset of the Untrusted Signed Permissions group. The user is asked for approval if any other permission set is requested. |
You can also choose the Apply to all Permissions not Specifically Allowed option to include all permissions in the Untrusted Signed Permissions group. Any permission set that is not a subset of the Trusted Signed Permissions group will be queried or denied based on the setting of the buttons previously described.
If you do not choose this option, you can select the Edit button to specify a set of permissions to give to the Untrusted Signed Permissions group. For more information, see Editing Permission Sets.
Editing Permission Sets
To edit a set of permissions, select the Edit button for the permission set you are interested in. The Edit Custom Permissions dialog box appears. This dialog box contains the following tabs, each of which indicates permissions that can be edited.
Tab name |
Permission description |
File |
The ability to read, write, or delete files. |
Registry |
The ability to read, write, delete, create, or open keys in the registry. |
Network |
The ability to connect or bind to various hosts or ports on the network. |
Client Services |
The ability to access client storage, perform user-directed file I/O, access user interface functionality, print, use multimedia libraries, and access security classes. |
System |
The ability to run programs, access system properties, manipulate threads, and redirect system streams. |
Reflection |
The ability to access public or declared members of a class, based on the class loader. |
Custom |
The ability to use a non-system permission designed by the user. |
Choose the tab for the permission that you want to edit and complete the fields and check boxes to set the permissions you want. Note the following general rules for entering information:
- Navigate between permissions by selecting the tabs.
- For File, Registry, and Network permissions, as well as Property and Execution permissions in the System tab, you can use the asterisk (*) and the question mark (?) as wildcard characters in any edit box. For example, in the File tab, if you want to add read permission for all files ending in .doc, select Read from the Access type list box, type *.doc in the Include files edit box, and then click Add.
- You can use the semicolon (;) as a delimiter for Property and Execution permissions in the System tab.
- When using a character such as an asterisk (*), a question mark (?), or a semicolon (;) as a literal in expressions, you must enclose the entire expression in double quotes and precede the character with a backslash. You must also precede each literal backslash with a backslash. For example, if you want to specify all file names in the C:\Windows\ directory whose second character is an asterisk (*), enter the following, including the double quotes: "C:\\Windows\\?\**".
- Use the Medium, High, or Clear buttons to set all the permissions in the set to a security setting or to clear the permission settings. Be aware that using these buttons affects all the permissions, not just the currently selected tab. Any previous edits to the permissions will be erased and reset to Medium, High, or Clear.
- When you have finished editing a set of permissions, click OK. This returns you to the Custom Permission Editor dialog box. You can then edit another permission group. To save the chosen settings but continue editing other permission settings, click Apply. To save the chosen settings and close the dialog box, click OK. To quit without saving your settings, click Cancel.
The following topics describe how to edit each permission tab:
File
Registry
Network
Client Services
System
Reflection
Custom
File
- Select one of the following from the Access type drop-down list: Read, Write, or Delete.
- To include a file, enter the file name in the Include files edit box, and then click Add.
- To exclude a file, enter the file name in the Exclude files edit box, and then click Add.
- To remove a file, select the file name from the included or the excluded file list, and then click Remove.
- Repeat this process until you have added or removed the appropriate included or excluded files from the access types.
Registry
- Select one of the following from the Access type drop-down list: Read, Write, Delete, Create, or Open.
- To include a key, enter the key name in the Include keys edit box and then click Add.
- To exclude a key, enter the key name in the Exclude keys edit box and then click Add.
- To remove a key, select the key name from the included or the excluded key list, and then click Remove.
- Repeat this process until you have added or removed the appropriate included or excluded keys from the access types.
Network
- Select one of the following from the Access type drop-down list: Connect, Bind, Multicast, or Global Ports.
- To include a host, enter the host name or IP address in the Include host edit box. You can specify a list of single ports, port ranges, or both by entering them in the Ports edit box, separated by commas. For example, 27-80, 95, 100-102 is a valid list of ports. If you choose the Multicast access type, you can only specify the host. If you choose the Global Ports access type, you can only specify the ports, not the host. Then, click Add.
- To exclude a host, enter the host name or the IP address in the Exclude host edit box. You can enter the list of ports and port ranges in the Ports edit box, separated by commas. Then, click Add.
- To remove a host or port, select the name of the host or port from the included or excluded host list, and then click Remove.
- Repeat this process until you have added or removed the appropriate included or excluded hosts or ports from the access types.
Client Services
Client storage settings
- To change the amount of allowed client storage, enter the appropriate number of kilobytes in the Storage limit edit box.
- To exempt client storage from global storage limits, select the Exempt from global client storage limit check box.
- To allow or deny access to roaming files, select or clear the Access to roaming files check box.
Miscellaneous
- To allow or deny access to printing services, select or clear the Access to printing services check box.
- To allow or deny access to multimedia libraries, select or clear the Access to multimedia libraries check box.
- To allow or deny access to security classes, select or clear the Access to security classes check box.
User-directed file I/O
- To allow or deny user-directed read access to files, select or clear the Read access check box.
- To allow or deny user-directed write access to files, select or clear the Write access check box.
User interface restrictions
- To allow or deny the creation of file dialog boxes, select or clear the Create file dialogs check box.
- To allow or deny the creation of top-level windows, select or clear the Create top level windows check box. If you allow top-level window creation, you can enable or disable the applet warning banner by clearing or selecting the Turn off applet warning banner check box.
- To allow or deny access to the Clipboard, select or clear the Clipboard access check box.
System
Property access
- To allow access to specific system properties, enter the name of the property or properties in the Include properties edit box; separate property names with semicolons (;).
- To deny access to specific system properties, enter the name of the property or properties in the Exclude properties edit box; separate property names with semicolons (;).
- To allow access to properties that are described by a particular suffix, enter the suffix in the Suffixes edit box. For instance, entering the "applet" suffix would allow access to a system property "X" if the system property "X.applet" exists and is set to True.
- To allow or deny unrestricted access to system properties, select or clear the Unrestricted access to properties check box.
Thread access
- To allow or deny access to thread objects, select or clear the Thread objects check box.
- To allow or deny access to thread group objects, select or clear the Thread group objects check box.
Execution access
- To allow specific files to be executed, enter the file name in the Include applications edit box.
- To deny the right to execute specific files, enter the file name in the Exclude applications edit box.
- To allow or deny the right for all applications to be executed, select or clear the Unrestricted execution of applications check box.
System stream redirection access
- To allow or deny the ability to redirect the standard system input stream (System.in), select or clear the Standard input stream check box.
- To allow or deny the ability to redirect the standard system output stream (System.out), select or clear the Standard output stream check box.
- To allow or deny the ability to redirect the standard system error stream (System.err), select or clear the Standard error stream check box.
Reflection
Public member reflection
- To allow or deny access to public members of classes loaded by the same class loader, select or clear the Same loader check box.
- To allow or deny access to public members of classes loaded by a different class loader, select or clear the Different loader check box.
- To allow or deny access to public members of classes loaded by a system loader, select or clear the System loader check box.
Declared member reflection
Note A declared member is any member of a class.
- To allow or deny access to declared members of classes loaded by the same class loader, select or clear the Same loader check box.
- To allow or deny access to declared members of classes loaded by a different class loader, select or clear the Different loader check box.
- To allow or deny access to declared members of classes loaded by a system loader, select or clear the System loader check box.
Custom
- To add a parameter to a custom permission (a non-system permission), enter the name of the permission class in the Class name edit box. Then, enter the parameter in the Parameters edit box and click Add.
- To remove a parameter from a custom permission, enter the name of the permission class in the Class name edit box. Then, enter the parameter in the Parameters edit box and click Remove.
The class must be on the class path or it will not be found. In addition, the class should support the EncodeFormats.TEXT encoding if it requires parameters and needs to support the Custom Permission Editor.
If you edit a custom permission class that does not have the thread permission, the Custom Permissions Editor will add the thread permission so that unrestricted access to threads and thread groups is denied.
© 1999 Microsoft Corporation. All rights reserved. Terms of use.