Using Policy Files

Similar Messages

• Jaas Authorization in jboss without using policy file

  HI,
  i am working on j2ee application in which i am using jaas for authentication and authorization.
  authentication is done but in authorization i dont want to use
  policy file because roles can be added it is not predefined so jaas should refer database for roles names and permissin i.e action class(URL permission) that are accesible to the user.
  how to implement this using jaas?
  pl can u help me to solve this problem.

  Has anyone ever implemented a simple web page authorization with Jaas?
  Please do help me by posting a sample code
  or suggest me a better security tool to use

• Signing Applets..Policy File

  Hi All,
  I have developed a Applet to read from local hard disk file. I have signed it. Regarding policy file i hv sm confusion.wihtout policy file also it is working. Isn't must to use policy files. If it is must how and where i will install it on other remote machines.
  Reg Certificates, whether we hv to manually give a link in our html. or anyother way is there to let IE automatically pop up that "Plugin Window" asking abt certficate(Grant,deny..\)
  Lemme me know the details..

  I have followed the instuction and signed all other libraries and I have encountered a runtime error in IE.
  The title of the message is Microsoft Visual C++ Runtime Library.
  The content is
  Runtime error!!
  Program: C:\program files\internet exploer\iexplorer.exe
  Abnormal program termination.
  I have tested serval version of IE and Java plug-in. It include:
  IE 6.0 sp1 with JRE 1.3.1_10
  IE 6.0 sp1 with JRE 1.3.1_06
  IE 5.5 sp2 with JRE 1.3.1_05
  Could someone can help me? Thanks!!

• Signed applets (are policy files needed!)

  I have experienced on a number of different machines that a signed applet that the client trusts (via clicking on yes to the prompt asking to trust the applet), is able to access the local resources with NO policy file on the client machine. I'm using JRE 1.4.1_02
  Is this the expected behavior?
  I sure hope it is because how in the world can you install applications to many clients and update their policy file? you can't via the web! BUT why am I reading that you have to have a policy file even if you sign an applet. I want to get rid of using Netscape security model but I can not update many client machine policy files... Please help!!! thanks. Is signing an applet all you have to do to access local machines, I sure hope so! Thanks in advance.

  I've done some more research specifically a very good article at http://developer.java.sun.com/developer/technicalArticles/Security/applets/index.html. I'll try to highlight the more interesting comments that I found. At least for the JRE 1.3 there appears to be a new class loader, sun.plugin.security.PluginClassLoader that allows a signed jar file (once trusted by the client) to have access to local resources.
  Code signed using the private key of the signer can be run on client machines once the public key corresponding to the signer is deemed as trusted on the respective machine.
  Applet security in browsers strives to prevent untrusted applets from performing potentially dangerous operations, while simultaneously allowing optimal access to trusted applets.
  There is no simply way to deploy and use customized policy files, a policy will have to be set by files based on the JRE installation. Customized class loaders or security managers cannot be installed easily.
  Policy files are difficult or at least not very straightforward for normal users, which could be thousands of machines where an applet is deployed.
  The java plug-in (I believe its 1.3 and later) provides a workaround although its recommended to use policy files wherever practical and applicable. (This implies to me that using the plug-in, all that is required is to sign the jar file to have access to local resources).
  RSA-signed applets can be deployed using the Java plug-in. (which can run in an identical way for Netscape and IE).
  In order for a plug-in enhanced browser to trust an applet and grant it all privileges or a set of fine-grained permissions (as specified in a J2EE policy file), the user has to preconfigure his or her cache of trusted signer certificates (the .keystore file in JRE 1.3) to add the applet's signer to it. However, this solution does not scale well if the applet needs to be deployed on thousands of client machines, and may not always be feasible because users may not know in advance who signed the applet that they are trying to run. A NEW CLASS LOADER, sun.plugin.security.PluginClassLoader in the Java Plug-in 1.3, OVERCOMES THE LIMITATIONS MENTIONED ABOVE.
  I hope this helps, I've been looking for this solution for quite some time, trying to understand why singed applets work with no policy files for version 1.4... Talk to you later, Jay.

• Associating policy files with license server

  [ Problem ]
  I’m going through the sample and documentation for FA 2.0.  It mentions that whenever a policy is created/updated that the license server has to be informed.  In the reference implementation, there are the model usage policy samples that I see being loaded.  In the non-refimpl of flash access, how does the license server load/know about the policies available?  I looked at the sample flashaccess-tenant.xml, I didn’t see any section where policy files are configured.  Would it have to be done outside of the app?
  [ Solution ]
  If you update a policy after it was used to package content, and you want the new policy to be used when the user requests a license for that content, the license server needs access to the latest version of the policy. 
  In the Reference Implementation, there are two modes demonstrating possible business logic implementations (but of course, you may choose a different approach in your implementation).  The typical workflow for the Reference Implementation is that it will use the policy that was embedded at packaging time to generate the license.  If more than one policy was embedded, it will try each one in order until it is able to successfully generate a license (for example, if the first policy requires authentication and the user did not authenticate, the server will try the second policy in the list.  If the second policy allows anonymous access (possibly with more restrictions), it will generate a license using that policy.  The Reference Implementation supports updating policies through a Policy Update List.  The Policy Update List would be generated when a policy is updated, and contains the latest version of any policy that has changed.  If you point the server to a Policy Update List in flashacccess-refimpl.properties, the Reference Implementation server will automatically check this list for updates any time it issues a license.  Alternatively, if you had an implementation that stores all your policies in a database, you could implement your server to check the database for an updated policy before issuing a license.
  As you mentioned, there is another mode which demonstrates four different usage models and uses policy files stored on the server to determine what the license will look like.  In this "demo" mode, the server only looks at the policies used at packaging time to determine if anonymous access is allowed or if authentication is required.  The rest of the attributes used to generate the license come from one of the four policy files configured on the server (see the "Implementing the usage models" section of Protecting Content for more details). 
  The License Server for Protected Streaming addresses a slightly different use case (see Flash Access Server Deployment Guide for details).  Here, we expect the minimum policy information to be specified at packaging time, and the license server determines the actual usage rules for generating the license.  In the PolicyOverrides section of flashaccess-tenant.xml, you specify the usage rules (license caching, output protection, etc.).  The license server ignores the policy embedded during packaging and only uses the attributes in the tenant configuration file.  If you want to update the usage rules, you simple modify the tenant configuration file -- in this case there is no separate policy file.

  anu1106 wrote:
  I replaced all files under folder Java\jdk1.6.0_10\jre\lib\security with files which i am using on windows XP.Why? Why not just install the unlimited strength files in the normal way according to the installation instructions given in the distribution file?

• Unable to create access to file in .policy file

  I'm trying to grant permission to a specific file in the file system by granting permission in the .policy file.
  When I uncomment the line permission java.security.AllPermission; the code works fine and interacts with the file correctly. This is just to prove that the code works, I need to tighten this up to a single file.
  When I use the following, I get an exception, shown below. Nothing of consequence is being written to the logs
  grant {
    permission java.io.FilePermission "C:/test/essbase/CalcProfile.db", "write, read";
  java.security.AccessControlException: access denied (java.io.FilePermission C:\esstest\Server\PlugIns\Essbase read)
       at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
       at java.security.AccessController.checkPermission(AccessController.java:546)
       at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
       at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
       at com.hyperion.essbase.calculator.ESecurityManager.checkRead(ESecurityManager.java:80)
       at java.io.File.exists(File.java:731)
       at org.sqlite.Conn.open(Conn.java:98)
       at org.sqlite.Conn.<init>(Conn.java:57)
       at org.sqlite.JDBC.createConnection(JDBC.java:77)
       at org.sqlite.JDBC.connect(JDBC.java:64)
       at java.sql.DriverManager.getConnection(DriverManager.java:582)
       at java.sql.DriverManager.getConnection(DriverManager.java:207)
       at com.accelatis.essbase.calcprofile.cdf.CalcComment.calcComment(CalcComment.java:16)I've tried creating the policy using PolicyTool, same result. However, I have no idea what or if I should put in the "CodeBase" field.
  Has anyone had success creating read & write permissions to a single file using .policy file? What is the magic syntax?
  Regards,
  Robb Salzmann
  Edited by: Robb Salzmann on Sep 22, 2011 11:38 AM

  >
  I have heard that there's a tendency for people to only read the first sentence of a post, so I will restrict this to just one sentence.
  >
  Wow, A little sharp doncha think?
  While I didn't write about it, I did check your link. Thank you, that got me over the hump.
  For anyone else who might stumble upon this thread, here's what I got to work:
  grant{
     permission java.security.AllPermission "C:\\test\\essbase\\CalcProfile.db", "read, write";
  };Regards,
  Robb Salzmann

• Can I use policy to grant permission for my Applet?

  Hi,
  I want to know if I can use policy files to grant my applet permissions which are loaded from browser , like
  grant codebase "file :http://host/port" {permission java.security.AllPermission;}
  If anyone knows, please let me know. Thanks.
  Michael

  Yes, you can.
  Under Windows NT the policy file is in C:\WINNT\Profiles\USERNAME\.java.policy, in Windows 9x is in c:\windows\.java.policy
  HTH,
  Bruno.

• How do you use .wsse policy file from Java Client?

  I'd like to call a WSSE enabled web service from my Java client but setup my encryption/signing requirements with a .wsse policy file.
  I know how to call a web service by programmatically setting up the security headers as described in:
  http://e-docs.bea.com/workshop/docs81/doc/en/core/index.html
  But how can I do the same thing by simply using a .wsse file?

  import java.awt.*;
  import java.applet.Applet;
  import java.awt.event.*;
  import java.net.*;
  public class links extends java.applet.Applet {
     Panel panel = new Panel();
     public links(){
        super();
        add(panel);
        Link link = new Link(this,"Answers for programmers;- ","http://forum.java.sun.com");
        panel.add(link);
     public void init(){
        setVisible(true);
     public class Link extends Label implements MouseListener {
        Applet applet;
        Color fcolor = Color.blue;
        Color lcolor = Color.pink;
        String text;
        String word;
     public Link(Applet ap, String s, String s1){
        super(s);
           this.applet = ap;
           this.text = s;
           this.word = s1;
           addMouseListener(this);
        setForeground(fcolor);
     public void paint(Graphics g){
     super.paint(g);
        if (getForeground() == lcolor){
           Dimension d = getSize();
           g.fillRect(1,d.height-5,d.width,1);
     public void update(Graphics g){paint(g);}
     public void mouseClicked(MouseEvent e){
        try{
           URL url = new URL(word);
           applet.getAppletContext().showDocument(url,"_self");
        catch(MalformedURLException er){ }
     public void mouseEntered(MouseEvent e){
        setForeground(lcolor);
        setCursor(Cursor.getPredefinedCursor(Cursor.HAND_CURSOR));
        repaint();
     public void mouseExited(MouseEvent e){
        setForeground(fcolor);
        setCursor(Cursor.getDefaultCursor());
        repaint();
  public void mousePressed(MouseEvent e){}
  public void mouseReleased(MouseEvent e){}
     public static void main (String[] args){
        new links(); 
  }

• How to use a custum permission in the .policy file

  Hi,
  I am stuck with the problem of having a custum permission that extands java.security.BasicPermission.
  I really want this permission to be checked from my .policy file, but when I try to include its location : c:\java_project\server\SpecialPolicy.class
  it pops a message that file is not found. I have tried dots, different slashes (back and forward) and still have no luck. I need this custum permission to be checked so that I can allow special access from a certain codebase so that say if I try a dangerous method I can just simply check in the code;
  this.getSecurityManager.checkPermission(new SpecialPermission("lol"));
  Also I need a paramater option, but I cant think of any since its not a FilePermission that takes a name and attributes (read, write..) what does BasicPermission take and if I extend it what attribute should I pass in. I dont really care about how this permission works, i just use it to restrict access to a certain functions in code that are ran from specific codeBAse.
  Please dont ask why I need this :)
  Thanks in advance, the documentation on how to add custum policies is simply NOT THERE. thus I have to bug people around.

  Hi
  If you just have to add another permission it is easy.
  Create a class extending the BasicPermission. Have an entry into
  the policy file like
  grant <Principal> {
  permission <CumstomPermission> "lol"
  }that should be all. If you do have a specific Principal, please
  do not forget to add the Principal to the relevant Subject after login.
  cheers
  Projyal

• SOA BPEL 11g (11.1.1.3.0) - Using encapsulated retries in fault-policy file

  Hi,
  We are using oracle SOA suite 11g (11.1.1.3.0)
  I'm trying to configure a fault-policy file so that it first retries 20 times every 20 secs, then reties 20 times every 10 minutes, then retries 23 times every hour, then retries 24 times every 6 hours and if the fault persists call a java action to send an email and then go to human-intervention. It seems however that only the first retry is executed. The rest ones are ignored and the action following the first retry failure is the Java Action. The fault-policy is as follows:
  <?xml version="1.0" encoding="UTF-8"?>
  <faultPolicies xmlns="http://schemas.oracle.com/bpel/faultpolicy">
  <faultPolicy version="0.0.1" id="TransferResponsibilityRequestProcessFaults"
  xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xs="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.oracle.com/bpel/faultpolicy"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Conditions>
  <faultName xmlns:freeze="http://rom/cosmote/bpel/webservice/util" name="freeze:BpelWSFault">
  <condition>
  <action ref="ora-human-intervention"/>
  </condition>
  </faultName>
  <faultName xmlns:retry="http://rom/cosmote/bpel/webservice" name="retry:PendingRequestsFault">
  <condition>
  <action ref="ora-retry-20sec"/>
  </condition>
  </faultName>
  </Conditions>
  <Actions>
  <Action id="ora-retry-20sec">
  <retry>
  <retryCount>10</retryCount>
  <retryInterval>20</retryInterval>
  <retryFailureAction ref="ora-retry-10min"/>
  </retry>
  </Action>
       <Action id="ora-retry-10min">
  <retry>
  <retryCount>10</retryCount>
  <retryInterval>600</retryInterval>
  <retryFailureAction ref="ora-retry-1hour"/>
  </retry>
  </Action>
  <Action id="ora-retry-1hour">
  <retry>
  <retryCount>23</retryCount>
  <retryInterval>3600</retryInterval>
  <retryFailureAction ref="ora-retry-6hour"/>
  </retry>
  </Action>
       <Action id="ora-retry-6hour">
  <retry>
  <retryCount>24</retryCount>
  <retryInterval>21600</retryInterval>
  <retryFailureAction ref="ora-java"/>
  </retry>
  </Action>
  <Action id="ora-java">
  <javaAction className="gr.cosmote.bpel.util.JavaActionInCaseOfRetryFails"
  defaultAction="ora-human-intervention">
  <returnValue value="RETURNED" ref="ora-human-intervention"/>
  </javaAction>
  </Action>
  <Action id="ora-human-intervention">
  <humanIntervention/>
  </Action>
  </Actions>
  </faultPolicy>
  </faultPolicies>
  Is retrying with various intervals only done by using the tag <exponentialBackoff/>?
  Thanks for any response.

  I had a similar requirement, although not as elaborate as yours. After I failed to figure it out myself I filed a SR. Basically, you cannot restart a retry block after the first execution to avoid an infinite loop.
  If you need to send the e-mail after the 23rd hour, why not just retry until the 23rd hour and send an e-mail?

• Can using BouncyCastle be an alternative to installing the policy files?

  Hey, sorry if this is a dumb question but I have been looking into this all day.
  I want to write a program that incorporates unlimited strength encryption, but installing the JCE Unlimited Strength Jurisdiction Policy Files is not an option (I can do it on one of the development machines, but I don't have write access to JAVAHOME on the other, and I can't expect every user of the program to install these files).
  Now I know that if I specify BouncyCastle as a provider when using JCE, I still have to install the above files... but what if I don't use JCE and I use the algorithms provided (handily without any form of documentation whatsoever) by BouncyCastle - can this be a workaround? I've heard conflicting views on this.
  If this isn't the case, can anyone please point me in the right direction of what I could do instead? Ie. if there was some way to include these files in the classpath rather than actually install them.
  Also, if using BC is a solution to problem, I would really appreciate it if anyone has such an example of AES-256 encryption and decryption with CBC and padding that they could point me in the direction of, I am having a real issue figuring out the BC API.
  Thank-you so much if you can help me.

  As long as you use the BouncyCastle lightweight crypto API rather than the JCE you should not encounter any of the JCE's restrictions. This means you cannot use Cipher.getInstance("Whatever/ABCCBC/TooMuchPadding", "BC"). Just include the lightweight api jar in your class path; the source is here: http://www.bouncycastle.org/download/lcrypto-jdk1<whatever>-139.zip
  I haven't played with bouncycastle in awhile, but I think something like this will get you started:
  BlockCipher aes = new AESEngine();
  CBCBlockCipher aes_cbc = new CBCBlockCipher(aes);
  byte [] key = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}; // 16 bytes for AES-128
  CipherParameters params = new KeyParameter(key);
  aes_cbc.init(true, params);
  //...

• Problems using codeBase in policy file

  Hi,
  I'm experiencing problems using the codeBase option with the grant option in my .policy file.
  I want to start a 'manager' which has limited access to files. This manager starts workers (threads) who need complete access to... everything. I know I need to use the codebase identifier to separate those two groups of rights, but I don't seem to get the codebase right. The worker threads don't get any rights at all. The manager works fine (without any codebase definition).
  I've used full and relative pathnames, with and without '/-' or '/*'
  The file I use currently is (slightly truncated :), pathnames are package names:
  grant codeBase "file:com/response/timber/broker/*" {
  permission java.security.AllPermission;
  grant {
  permission [..].FilePermission "manager.properties","read";
  permission [..].SocketPermission "localhost","connect,[..]";
  permission [..].FilePermission "com/[..]/jaxb.properties","read";
  According to the various examples on the Internet, it should work, but ofcourse it doesn't. Could the use of threat have any influence on the defined security?

  All I can say is I hope someone gives you
  (and indirectly me) the answer. I've got a
  serious problem granting special permissions
  in Sun ONE to a servlet and it's jars.
  One strange thing (to me), is that the format
  for the .policy file seems quite different between
  say Tomcat and Sun One. Things that work in Tomcat
  don't work for Sun ONE. But I thought the underlying
  vm et al was all the same! So did I... Why does
  this have to be so Opaque? Why different syntax
  platform to platform? Its all Java!

• How to create an application-specific policy file?

  Hi Everybody:
  I'm a .NET developer with C #. I have a few applications currently running on my computer using the ODP 10.1
  Two weeks ago I installed on my computer the ODP 10.2 Release & now my previous applications have stopped working: when I try to make the connection to the database gives me this exception:
  OraOLEDB (0x80004005)
  ORA-12154: TNS: could not resolve the connect identifier specified
  In FAQ section for ODP.NET I found the next:
  Q: I have two .NET applications on the same machine running two different versions of ODP.NET. How do I ensure both these applications use the correct ODP.NET version?
  A: Beginning with ODP.NET 10.1.0.3, the Oracle installer will register the following publisher policy DLLs in the Global Assembly Cache (GAC) that redirect 9.2, 10.1 and 10.2 ODP.NET applications to use the last installed version of ODP.NET: Policy.9.2.Oracle.DataAccess.dll and Policy.10.1.Oracle.DataAccess.dll.
  ODP.NET 9.2 includes just the first policy DLL above. These policy files ensure that all your ODP.NET applications use the most recently installed version of ODP.NET.
  You may undo the redirection manually. Policy DLLs can be de-installed through gacutil.exe using the /u option. Another approach is to navigate to the GAC directory (i.e. C:\WINNT\assembly) through the Windows Explorer and delete the policy folders. That will eliminate any policy enforcement for all your ODP.NET applications.
  If you have applications on the same machine using different ODP.NET versions, you should create an application-specific policy file.
  I'm trying to do that, but I don't know what is an application-specific policy file. Someone can give me an example of How can I create and application-specific policy file???
  Regards

  Hi,
  Binding redirection is a ".net thing" as opposed to a "odp.net thing", see if this helps:
  http://msdn.microsoft.com/en-us/library/7wd6ex19(VS.71).aspx
  Hope it helps,
  Greg

• Server.policy file

  The ejb I am developing is trying to delete the following file from a local filesystem (Linux SuSE 9.3 Pro) : /path/to/file/delete.me I get the following exception:
  java.security.AccessControlException: access denied (java.io.FilePermission /path/to/file/delete.me delete)
  at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
  at java.security.AccessController.checkPermission(AccessController.java:427)
  at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
  at java.lang.SecurityManager.checkDelete(SecurityManager.java:990)
  at java.io.File.delete(File.java:869)
  I tried to modify the server.policy file adding the following line:
  permission java.io.FilePermission "/path/to/file/delete.me", "delete";
  but nothing changes, even when I restart the application server (don't know even if it is necessary to restart). I am using Sun Java System Application Server Enterprise Edition 8.1. Any help is welcome...
  Thanks in advance
  null

  I think I solved the problem. At least I managed to delete the file :-)
  First I had to add the following line to JRE's java.policy file:
  permission java.io.FilePermission "/path/to/file/delete.me", "delete";Then I added the following entry to the server's server.policy file:
  grant codeBase "file:${com.sun.aas.instanceRoot}/applications/j2ee-apps/MyApp-" {
    permission java.io.FilePermission "/path/to/file/delete.me", "delete";
  };like described here:
  http://docs.sun.com/app/docs/doc/819-3659/6n5s6m58n?a=view#beabz
  I hope this could help to someone with the same problem

• Problem fetching policy-file-request

  According to
  http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_print.html
  quote:
  * A SWF file may no longer make a socket connection to its
  own domain without a socket policy file. Prior to version
  9,0,115,0, a SWF file was permitted to make socket connections to
  ports 1024 or greater in its own domain without a policy file.
  * HTTP policy files may no longer be used to authorize
  socket connections. Prior to version 9,0,115,0, an HTTP policy
  file, served from the master location of /crossdomain.xml on port
  80, could be used to authorize a socket connection to any port 1024
  or greater on the same host.
  So with the tighter security measures, a policy file has to
  be fetched on port 843 or on the same port on which a connection is
  desired. That leads to another problem. The policy file request
  made by the player has a simple format: clear text
  <policy-file-request/> is sent as raw data bytes on
  the ports.
  As most firewalls block such raw data traffic (of unknown
  protocols) on all the ports, this means that the policy file fetch
  will fail almost always if the user is behind any firewall.
  This will render all SWFs, that do not use well known ports,
  unusable. Does anyone know what is the solution to this
  problem? Or am I missing something here?

  Common guys, someone has to know what to do here.
  I have read all that I can read and tried all that I could
  and the flash app is not accepting my policy file.