Policy files for Browsers

I've got an applet that I want to run in a browser, but I need to set up a policy file for it. I was wondering where this policy file should go and what it should be called so that the browser finds and uses it? Is there any difference between the location of a policy file for Internet Explorer and Netscape?
Thanks for your help,
David

My understanding is that if your applet is signed (even by a self-signed certificate), it gets its permission from the browser's security manager. Take a look at my file I/O demo at the link shown below:
http://home.attbi.com/~aokabc/FileIO/FileIOdemo.htm
You'll find more info about signing an applet in the first few links on the page. This demo is self-signed and require no change whatsoever in the user's policy file -- the browser (IE and NN4+) must be correctly set to run the demo (a pain in the butt).
V.V.

Similar Messages

Unable to locate unrestricted policy files for the Sun JCE for download

My platform:
java version "1.6.0_26"
Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
Oracle JRockit(R) (build R28.1.4-7-144370-1.6.0_26-20110617-2130-windows-x86_64, compiled mode)
I am unable to locate the Unlimited Strength Jurisdiction JCE files.
According to BouncyCastle for Java 1.6:
..."you must download the unrestricted policy files for the Sun JCE if you want the provider to work properly. The policy files can be found at the same place as the JDK download. Further information on this can be found in the Sun documentation on the JCE."

The version at the very bottom of http://www.oracle.com/technetwork/java/javase/downloads/index.html should work.

Java: Where are JCE Unlimited Strength Jurisdiction Policy Files for Java for Mac OS X 10.7?

I need to install the JCE Unlimited Strength Jurisdiction Policy Files for Java 1.6 under Mac OS X 10.7. I know where to get then from the Sun/Oracle Java download site, but want to make sure that these will work on the Mac. Or, are there Mac specific versions somewhere?

There's a jce.jar file in /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/, so it appears that they're already in place, but that's just a WAG.

Where can I download the unrestricted policy files for the JCE?

I'm getting errors because I don't have the unrestricted policy files for the JCE. I've checked Sun's website, but I can't find them anywhere. Can someone provide me a link?

At the bottom of the JDK download page - http://java.sun.com/j2se/1.5.0/download.jsp

Policy File for WebService

I try to access a flex web service
<mx:WebService id="xxx" wsdl="
http://xxxxxx/sap/bc/srt/rfc/sap/AABBCC?wsdl"
showBusyCursor="true">
The system of the Web Service is not the same as "my system"
(where the SWF file is obtained from). Therefore I do need to load
the policy (crossdomain.xml): Security.loadPolicyFile( "
http://xxxxxx/sap/a/bc/crossdomain.xml").
For some reasons I can not put the crossdomain file on ROOT level,
so I have to load it explicitly.
My problem: How (which event) can I accomplish that the file
is loaded PRIOR(!) the <mx:WebService> tag is parsed and run.
My problem is, I do still get the security error, although I load
the file. I have cross-checked it with an alert message, the reason
is: None of the events I have placed the loading in, is completed
before the wsdl file is loaded.
Any idea how to overcome the problem?
Thanks

How can I create java string object in wlst?
I have to upload xacml document by using this object.
I have created MBean of type Realm by using following command:
wls:/DefaultDomain/edit/Deployments !> create('object','Realms')
object has been successsfully created but when I use the following command
xacmlFile = open('role-policy','object')
following error occurs:
IOError: Unknown open mode: object
Can any one tell me how can I remove this error?

Signed applets (are policy files needed!)

I have experienced on a number of different machines that a signed applet that the client trusts (via clicking on yes to the prompt asking to trust the applet), is able to access the local resources with NO policy file on the client machine. I'm using JRE 1.4.1_02
Is this the expected behavior?
I sure hope it is because how in the world can you install applications to many clients and update their policy file? you can't via the web! BUT why am I reading that you have to have a policy file even if you sign an applet. I want to get rid of using Netscape security model but I can not update many client machine policy files... Please help!!! thanks. Is signing an applet all you have to do to access local machines, I sure hope so! Thanks in advance.

I've done some more research specifically a very good article at http://developer.java.sun.com/developer/technicalArticles/Security/applets/index.html. I'll try to highlight the more interesting comments that I found. At least for the JRE 1.3 there appears to be a new class loader, sun.plugin.security.PluginClassLoader that allows a signed jar file (once trusted by the client) to have access to local resources.
Code signed using the private key of the signer can be run on client machines once the public key corresponding to the signer is deemed as trusted on the respective machine.
Applet security in browsers strives to prevent untrusted applets from performing potentially dangerous operations, while simultaneously allowing optimal access to trusted applets.
There is no simply way to deploy and use customized policy files, a policy will have to be set by files based on the JRE installation. Customized class loaders or security managers cannot be installed easily.
Policy files are difficult or at least not very straightforward for normal users, which could be thousands of machines where an applet is deployed.
The java plug-in (I believe its 1.3 and later) provides a workaround although its recommended to use policy files wherever practical and applicable. (This implies to me that using the plug-in, all that is required is to sign the jar file to have access to local resources).
RSA-signed applets can be deployed using the Java plug-in. (which can run in an identical way for Netscape and IE).
In order for a plug-in enhanced browser to trust an applet and grant it all privileges or a set of fine-grained permissions (as specified in a J2EE policy file), the user has to preconfigure his or her cache of trusted signer certificates (the .keystore file in JRE 1.3) to add the applet's signer to it. However, this solution does not scale well if the applet needs to be deployed on thousands of client machines, and may not always be feasible because users may not know in advance who signed the applet that they are trying to run. A NEW CLASS LOADER, sun.plugin.security.PluginClassLoader in the Java Plug-in 1.3, OVERCOMES THE LIMITATIONS MENTIONED ABOVE.
I hope this helps, I've been looking for this solution for quite some time, trying to understand why singed applets work with no policy files for version 1.4... Talk to you later, Jay.

Override JCE default (limited strength) jurisdiction policy files

Hi!
I am writing an applet, which has to decrypt encrpyted file with some simetric algorithm, e.g. PBEWithMD5AndTripleDes. Due llimitations of key lengths in default (limited strength) jurisdiction policy files for JCE I cannot use for example TripleDES with 168 bit key or. Blowfish with 400 bit key.
I know I can obtain Unlimited version of these files from java.sun.com and replace this files in JDK/JRE installation directory. That's ok for us at server side, but disaster at client (applet) side, because we must modify installation of JRE on every computer where user want to use applet and update it every time when JRE is being updated.
So me question is: is there any way to distribute unlimited jurisdiction files with an applet (I know how to include *.jar files) and make it work? For example via endorsed mechanism, setting some security property, reloading JCE?
Thanks for help!

You can't override them. Since the restriction apply only to the JCE, your best bet is to use the lightweight API from Bouncy Castle which does not use the JCE.

Java Web Start and Policy File

Hi,
I've a problem for Java Web Start (JWS) in working with Policy File.
I like to apply a policy file for a JWS application to fine tune the secuirty setting instead of granting permission in JWS.
For an applet environment, I can apply policy file like this:
appletviewer -J"-Djava.security.policy=all.policy" writeFile.html
However, in JWS environment, I try to apply in JNLP file as below but fail:
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+"
codebase="http://130.18.52.226:8080/testing/"
>
<information>
<title>JWS JFrame App</title>
<vendor>Java Developer Connection</vendor>
<homepage href="http://java.sun.com/jdc" />
<description>Demonstration of JNLP</description>
<icon href="hsbc.gif" width="32" height="32" />
</information>
<resources>
<j2se version="1.3*" />
<property name="java.security.manager" value="x" />
<property name="java.security.policy" value="testing.policy"/>
<jar href="testing.jar"/>
</resources>
<application-desc main-class="JWSJFrameApp" />
</jnlp>
The error message like this:
Java Web Start Console, started Tue Sep 03 09:59:36 CST 2002
Java 2 Runtime Environment: Version 1.3.0 by Sun Microsystems Inc.
java.security.AccessControlException: access denied (java.util.PropertyPermission java.security.manager write)
java.security.AccessControlException: access denied (java.util.PropertyPermission java.security.policy write)
Could anyone please help on this!
Many thanks!
Regards,
Simon Ho

There are two problems with what you are trying to do.
First, setting a property PROP=VALUE in the jnlp file does not mean that java will be launched -DPROP=VALUE, instead, javawebstart will call System.setProperty(PROP,VALUE) before your apps main() is called. The difference is, the property will not be set at the time the VM is initialized.
Second, the javaws security policy will not allow you to set arbitrary properties in an unsigned application. Only properties begining with "jnlp." or "javaws." (and possibly a few other specific props known to the native javaws code) can be set in an application unless <all-permissions> is specified and the app is signed.

Including non-existent permissions in a policy file

I noticed that if I, in a policy file, specify a permission which implementation is not available to the VM, no error occurs and it seems like the bogus permission is simply ignored.
I use -Djava.security.manager and -Djava.security.policy=my.policy.
For example, if I specify a permission that was added in J2SE 5.0 in a policy file used with a J2SE 1.4.2 JVM (from Sun), I get no errors. This is good, since it means that I can use the same policy file for all JVM versions that I have to support. However, I was not able to find anything about this in the documentation.
Can I trust all compliant JVMs to work like this, or is this specific to Sun's implementations? Is this mentioned in the documentation/spec somewhere?
Thanks...

if you want to give read permissions for all the files in conf:
permission java.io.FilePermission "\\dvp\\conf\\-","read";
Hope this help!

Cross-Domain Policy File

I just made an IRC client for Android + iOS, and now I'm having issues porting it to the browser. I've built flash games where the server hosts the Policy Domain File, obviously with an IRC client that's not going to happen in all instances.
I'm wondering why the browser version can run perfectly fine under CS6's debug mode, but when it's been deployed to the browser it can't seem to connect? What settings would I have to do [if at all possible] to replicate this debug mode [in CS6] inside the browser?
Thanks!

In the browser, are you running it via Flash Player or are you making an AIR for web app?
The browser is the strictest sandbox Flash can run in. The infamous #2048 is a generic security violation. You're doing something your current sandbox doesn't allow. The most obvious thing to verify is on the SWF output settings make sure your sandbox is set to access network files, not access local files. Otherwise you'll get that error.
Outside that it's going to be looking for a socket policy file. I won't even get into creating these because your endpoint is an IRC server. Unless you're running your own IRC server you're not going to get some IRC server host to install a socket policy file for you so that point is moot. Without the socket policy file you're in some tough territory that will require some advanced debugging.
My suggestion would be to get Fiddler so you can actually see the request and response packets being sent to and from Flash inside your browser. You will definitely see Flash make a request and the response will give you clues on what's happening just before you receive the #2048 security error. You may see it request the policy file and then the server returns nothing or an invalid response and then Flash gives you the error. If that happens you may be out of luck.
Here's fiddler (I'd update your .NET to the latest and use V4 instead of V2):
http://www.fiddler2.com/fiddler2/version.asp
Here's another Adobe post of someone having a #2048 error while using fiddler to diagnose it:
http://forums.adobe.com/message/4668901#4668901
The fiddler site has some documentation. It's a pretty great tool for analyzing packet traffic (using the "select process" target will limit the packets to a browser you select (or any other app)). You may need to enable decrypting HTTPS traffic if you're using a SecureSocket. There's all instructions there on helping you diagnose and watch the inner workings of all requests/responses to track down the issue quickly.
Lastly I would uninstall Fiddler after you're done with it and reinstall it later when you need it. Especially if you enable HTTPS decryption. It must install some fake certificates to allow itself to intercept traffic. You'll just clutter up your certificates with junk certs if you keep fiddler installed. It's a very quick install/uninstall and the software itself is very widely used and regarded. It's not a trust thing, it's a cleanliness thing.

Enable userName Token profile in Java client policy file

My stand-alone java client invokes a .Net web service which implements wse 3.0. userName Token. However, when I ran my client program with the policy file which I converted from .Net config policy. I got errors. How could I make this right?
[java] java.rmi.RemoteException: SOAPFaultException - FaultCode [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] FaultString [Header http://schemas.xmlsoap.org/ws/2004/08/addressing:Action for ultimate recipient is required but not present in the message.] FaultActor [http://192.168.254.102/TestImageserver2007/DLImageService.asmx]No Detail; nested exception is:
[java]      javax.xml.rpc.soap.SOAPFaultException: Header http://schemas.xmlsoap.org/ws/2004/08/addressing:Action for ultimate recipient is required but not present in the message.
[java] fetchMostRecent() Failed...
[java]      at digimarc.foto.webservice.clientstub.ImageServiceSoap_Stub.imagingFolioFetchMostRecent(ImageServiceSoap_Stub.java:137)
[java]      at digimarc.foto.webservice.Client.main(Client.java:40)
[java] Caused by: javax.xml.rpc.soap.SOAPFaultException: Header http://schemas.xmlsoap.org/ws/2004/08/addressing:Action for ultimate recipient is required but not present in the message.
[java]      at weblogic.wsee.codec.soap11.SoapCodec.decodeFault(SoapCodec.java:311)
[java]      at weblogic.wsee.ws.dispatch.client.CodecHandler.decodeFault(CodecHandler.java:114)
[java]      at weblogic.wsee.ws.dispatch.client.CodecHandler.decode(CodecHandler.java:99)
[java]      at weblogic.wsee.ws.dispatch.client.CodecHandler.handleFault(CodecHandler.java:87)
[java]      at weblogic.wsee.handler.HandlerIterator.handleFault(HandlerIterator.java:248)
[java]      at weblogic.wsee.handler.HandlerIterator.handleResponse(HandlerIterator.java:218)
[java]      at weblogic.wsee.ws.dispatch.client.ClientDispatcher.handleResponse(ClientDispatcher.java:159)
[java]      at weblogic.wsee.ws.dispatch.client.ClientDispatcher.dispatch(ClientDispatcher.java:114)
[java]      at weblogic.wsee.ws.WsStub.invoke(WsStub.java:89)
[java]      at weblogic.wsee.jaxrpc.StubImpl._invoke(StubImpl.java:331)
[java]      at digimarc.foto.webservice.clientstub.ImageServiceSoap_Stub.imagingFolioFetchMostRecent(ImageServiceSoap_Stub.java:132)
Policy file used:
<?xml version="1.0" ?>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://www.bea.com/wls90/security/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part">

<wssp:Security>
<wssp:userNameToken>
<wssp:userName>weblogic</wssp:userName>
<wssp:password type="TEXT">weblogic</wssp:password>
</wssp:userNameToken>
</wssp:Security>
</wsp:Policy>
.Net config policy file:
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
<extensions>
<extension name="kerberosSecurity" type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="kerberos" type="Microsoft.Web.Services3.Design.KerberosTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="usernameForCertificateSecurity" type="Microsoft.Web.Services3.Design.UsernameForCertificateAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="usernameOverTransportSecurity" type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="AuthorizationPolicy">
<kerberosSecurity establishSecurityContext="false" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">
<token>
<kerberos targetPrincipal="host/nbcis1" impersonationLevel="Identification" />
</token>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
</protection>
</kerberosSecurity>
<requireActionHeader />
</policy>
<policy name="InteropPolicy">
<usernameOverTransportSecurity />
<requireActionHeader />
</policy>
<policy name="NamePolicy">
<usernameOverTransportSecurity >
<clientToken>
<username username="nbdls\joejoe" password="ImAGe!" />
</clientToken>
</usernameOverTransportSecurity>
<requireActionHeader />
</policy>
</policies>

Thanks Carlo for the suggestion. That helps to overcome my huge hurdle. The username and password were sent successfully in the SOAP header to .Net web service.
However, there is still some errors on the java client side. I am getting:
[java] java.rmi.RemoteException: SOAPFaultException - FaultCode [{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] FaultString [Header http://schemas.xmlsoap.org/ws/2004/08/addressing:Action for ultimate recipient is required but not present in the message.] FaultActor [http://192.168.254.102/TestImageserver2007/DLImageService.asmx]No Detail; nested exception is:
[java]      javax.xml.rpc.soap.SOAPFaultException: Header http://schemas.xmlsoap.org/ws/2004/08/addressing:Action for ultimate recipient is required but not present in the message.
[java]      at digimarc.foto.webservice.clientstub.ImageServiceSoap_Stub.imagingFolioFetchMostRecent(ImageServiceSoap_Stub.java:137)
[java]      at digimarc.foto.webservice.Client.main(Client.java:58)
[java] Caused by: javax.xml.rpc.soap.SOAPFaultException: Header http://schemas.xmlsoap.org/ws/2004/08/addressing:Action for ultimate recipient is required but not present in the message.
[java]      at weblogic.wsee.codec.soap11.SoapCodec.decodeFault(SoapCodec.java:311)
[java]      at weblogic.wsee.ws.dispatch.client.CodecHandler.decodeFault(CodecHandler.java:114)
[java]      at weblogic.wsee.ws.dispatch.client.CodecHandler.decode(CodecHandler.java:99)
[java]      at weblogic.wsee.ws.dispatch.client.CodecHandler.handleFault(CodecHandler.java:87)
[java]      at weblogic.wsee.handler.HandlerIterator.handleFault(HandlerIterator.java:248)
[java]      at weblogic.wsee.handler.HandlerIterator.handleResponse(HandlerIterator.java:218)
[java]      at weblogic.wsee.ws.dispatch.client.ClientDispatcher.handleResponse(ClientDispatcher.java:159)
[java]      at weblogic.wsee.ws.dispatch.client.ClientDispatcher.dispatch(ClientDispatcher.java:114)
[java]      at weblogic.wsee.ws.WsStub.invoke(WsStub.java:89)
[java]      at weblogic.wsee.jaxrpc.StubImpl._invoke(StubImpl.java:331)
[java]      at digimarc.foto.webservice.clientstub.ImageServiceSoap_Stub.imagingFolioFetchMostRecent(ImageServiceSoap_Stub.java:132)
[java]      ... 1 more
The statement:
"Action for ultimate recipient is required but not present in message". What is missing?
This is what I have in my java client:
FileInputStream [] inbound_policy_array = new FileInputStream[1];
inbound_policy_array[0] = new FileInputStream("Auth.xml");
FileInputStream [] outbound_policy_array = new FileInputStream[1];
outbound_policy_array[0] = new FileInputStream("Auth.xml");
//create service and port
ImageService imageService = new ImageService_Impl(args[0]);
//specify an array of policy files for the request and response of a
//particular operation
ImageServiceSoap array_of_policy_port = imageService.getImageServiceSoap("ImagingFolioFetchMostRecent", inbound_policy_array, outbound_policy_array);
//create credential provider and set it to the Stub
List credProviders = new ArrayList();
//client side UsernameToken credential provider
CredentialProvider cp = new ClientUNTCredentialProvider("nsbbdl\\joejoe", "ImAGes!");
credProviders.add(cp);
Stub stub = (Stub)array_of_policy_port;
stub._setProperty(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credProviders);
try {
ApplicantDataFolio adf = array_of_policy_port.imagingFolioFetchMostRecent("1001917");
} catch (Throwable e) {
}

[svn:osmf:] 17499: Partial fix for FM-990: prevent RTE when attempting smoothing for an image where a policy file was not available

Revision: 17499
Revision: 17499
Author:   [email protected]
Date:     2010-08-27 11:05:22 -0700 (Fri, 27 Aug 2010)
Log Message:
Partial fix for FM-990: prevent RTE when attempting smoothing for an image where a policy file was not available
Ticket Links:
    http://bugs.adobe.com/jira/browse/FM-990
Modified Paths:
    osmf/trunk/framework/OSMF/org/osmf/elements/ImageElement.as

Revision: 17499
Revision: 17499
Author:   [email protected]
Date:     2010-08-27 11:05:22 -0700 (Fri, 27 Aug 2010)
Log Message:
Partial fix for FM-990: prevent RTE when attempting smoothing for an image where a policy file was not available
Ticket Links:
    http://bugs.adobe.com/jira/browse/FM-990
Modified Paths:
    osmf/trunk/framework/OSMF/org/osmf/elements/ImageElement.as

Policy Annotation in WebServices Impl file for JAX-WS WebServices

Hi All ,
I am trying to implement JAX-WS WebServices that support https transport .To do so I added the following annotation *@Policy(uri = "policy:Wssp1.2-2007-Https-BasicAuth.xml)* in my Jws Implementation file for the JAX-WS WebServices but I got parsing error.Can anyone please confirm that JAX-WS supports the policy annotation in Impl file.If it is supported can a link/pointer/example could be given to implement https enabled JAX-WS WebService and the required configuration in wsdl file.
Thanks and Regards

For 11g, install the examples with a custom installation (have to specify that check mark that is not checked by default).
The look here:
<MIDDLEWARE_HOME>\wlserver_10.3\samples\server\examples\src\examples\webservices\wss1.1

I am looking for an existing ADM file for group policy to disable Javascript

Does anyone know if there are any ADM files for acrobat versions 5,6,7, and 9? I also am looking to disable Javascript from the Adobe Reader 9 and X.

Yes, to get your instrument drivers for this device go to the following link:
http://zone.ni.com/idnet97.nsf/9b2b33e1993d877786256436006ec498/0027109f3d6e32dd86256d6d0068a5bd?OpenDocument
If this link doesn't work:
Goto Ni Home,
NI Developer Zone
Instrument Driver Network,
Set Manufacture criteria to: Hewlett-Packard
For additional keywords type: 33120A
click go
and there it is....
Good luck,
Greg

No log for am policy agent for iis6

Hello!
Im trying to get Policy Agent for IIS to run on my Win Srv 2003 with IIS6 and Sharepoint Services.
I am running the OpenSSO version of Access Manager.
I have installed the agent and done the initial cofiguration.
When i try to browse the resource i get a login prompt (IIS Basic Auth)and cannot login followed by "Not Authorized 401.3"
I should get redirected to the AM Login page, shouldn't I?
I tried to look for answers in the log file but the /debug/<id> directory i empty.
Anyone know what to do?
The amAgent.properties file:
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://login.lta.mil.se:8080/opensso/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://login.lta.mil.se:8080/opensso/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.sharepoint.lta.mil.se.80
# Set the logging level for the specified logging categories.
# The format of the values is
# <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
# 0 Disable logging from specified module*
# 1 Log error messages
# 2 Log warning and error messages
# 3 Log info, warning, and error messages
# 4 Log debug, info, warning, and error messages
# 5 Like level 4, but with even more debugging messages
# 128 log url access to log file on AM server.
# 256 log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level = 5
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = PN4rEZ1uhx1404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = C:/Sun/Access_Manager/Agents/2.2/iis6/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://sharepoint.lta.mil.se:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organiz ational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_BOTH
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://sharepoint.lta.mil.se:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = sharepoint.lta.mil.se
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = true
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port = true
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAuthFilter

If the agent doesnot start properly you would always get redirected to com.sun.am.policy.agents.config.accessdenied.url , if thats not specified you will get a 403.
For the agent itself check that the naming.url is correct. the agent username and passwords are correct, and see that the user has priviledges to write to the agent log files. Apart from these post the windows event logs.

Policy files for Browsers

Similar Messages

Maybe you are looking for