Microsoft SDK for Java

Defining Permission Sets Using Cprmedit

The cprmedit tool enables you to edit Java permissions for specific security zones using a graphical user interface. The permissions set by cprmedit are recognized by Microsoft Internet Explorer 4.0 or later. The user interface presented by the cprmedit tool is similar to the dialog boxes in Internet Explorer 4.01 that enable administrators to set security options.

To run the Custom Permission Editor, make sure that the %SDKDIR%\Bin directory is in your path, and then type cprmedit on the command line. The Custom Permission Editor dialog box will appear. To edit the permissions for a particular zone, choose one of the zones listed in the drop-down list box. For each zone, there are three sets of permissions that you can edit: Unsigned Permissions, Trusted Signed Permissions, and Untrusted Signed Permissions. Each permission set has its own area in the dialog box, and each area contains check boxes and buttons that are used to define the group.

The following sections explain how to define a permission set.

Unsigned Permissions

Unsigned Permissions are permissions granted to unsigned content. To edit these permissions, select one of the following choices.

Unsigned Content is Fully Trusted Gives all permissions to unsigned content. This setting is not recommended because damaging content could be run on your computer.
Edit Specifies a set of permissions to give to unsigned content. For more information, see Editing Permission Sets.

Trusted Signed Permissions

Trusted Signed Permissions are permissions requested by signed content that do not require user approval. To edit these permissions, select one of the following choices.

Grant all Permissions Requested by Signed Content Gives signed content all requested permissions. This setting is not recommended.
Edit Specifies a set of permissions to give to the Trusted Signed Permissions group. For more information, see Editing Permission Sets.

Untrusted Signed Permissions

Untrusted Signed Permissions are permissions requested by signed content that require user approval or are absolutely denied. When editing the Untrusted Signed Permissions group, you must select one of the following options to indicate whether the user should be queried.

Ask for Approval of Untrusted Permissions Queries the user if signed content requests a permission set that is not a subset of the Trusted Signed Permissions group and is a subset of the Untrusted Signed Permissions group. If signed content requests any other permission set that is not a subset of the Trusted Signed Permissions group, the content is automatically refused.
Refuse Untrusted Permissions Without Asking Automatically refuses signed content requesting a permission that is not a subset of the Trusted Signed Permissions group and is a subset of the Untrusted Signed Permissions group. The user is asked for approval if any other permission set is requested.

You can also choose the Apply to all Permissions not Specifically Allowed option to include all permissions in the Untrusted Signed Permissions group. Any permission set that is not a subset of the Trusted Signed Permissions group will be queried or denied based on the setting of the buttons previously described.

If you do not choose this option, you can select the Edit button to specify a set of permissions to give to the Untrusted Signed Permissions group. For more information, see Editing Permission Sets.

Editing Permission Sets

To edit a set of permissions, select the Edit button for the permission set you are interested in. The Edit Custom Permissions dialog box appears. This dialog box contains the following tabs, each of which indicates permissions that can be edited.

Tab name Permission description
File The ability to read, write, or delete files.
Registry The ability to read, write, delete, create, or open keys in the registry.
Network The ability to connect or bind to various hosts or ports on the network.
Client Services The ability to access client storage, perform user-directed file I/O, access user interface functionality, print, use multimedia libraries, and access security classes.
System The ability to run programs, access system properties, manipulate threads, and redirect system streams.
Reflection The ability to access public or declared members of a class, based on the class loader.
Custom The ability to use a non-system permission designed by the user.

Choose the tab for the permission that you want to edit and complete the fields and check boxes to set the permissions you want. Note the following general rules for entering information:

The following topics describe how to edit each permission tab:

File

Registry

Network

Client Services

System

Reflection

Custom

File

  1. Select one of the following from the Access type drop-down list: Read, Write, or Delete.
  1. Repeat this process until you have added or removed the appropriate included or excluded files from the access types.

Registry

  1. Select one of the following from the Access type drop-down list: Read, Write, Delete, Create, or Open.
  1. Repeat this process until you have added or removed the appropriate included or excluded keys from the access types.

Network

  1. Select one of the following from the Access type drop-down list: Connect, Bind, Multicast, or Global Ports.
  2. Repeat this process until you have added or removed the appropriate included or excluded hosts or ports from the access types.

Client Services

Client storage settings

Miscellaneous

User-directed file I/O

User interface restrictions

System

Property access

Thread access

Execution access

System stream redirection access

Reflection

Public member reflection

Declared member reflection

Note   A declared member is any member of a class.

Custom

The class must be on the class path or it will not be found. In addition, the class should support the EncodeFormats.TEXT encoding if it requires parameters and needs to support the Custom Permission Editor.

If you edit a custom permission class that does not have the thread permission, the Custom Permissions Editor will add the thread permission so that unrestricted access to threads and thread groups is denied.

© 1999 Microsoft Corporation. All rights reserved. Terms of use.