Policy File Syntax & Security Architecture

Jeffrey Hyson (jeff@abstract-engineer.com)
Mon, 30 Nov 1998 20:07:21 -0000

Hello:

I hope you can find a few moments to reply to this message :-)

I basically have 2 simple yes or no questions and 1 chained question
regarding Policy File Syntax and Security Architecture.

>From the documentation policy file syntax is:

grant signedBy "signer_names", codeBase "URL" {
permission permission_class_name "target_name", "action",
signedBy "signer_names";
...
permission permission_class_name "target_name", "action",
signedBy "signer_names";
};

Q1: I can create my own set of application permissions embed them in the
policy file and then perform an application check via
PermissionCollection.implies(Permission permission) to see if the applet or
application has permission? Yes or No?

I believe the answer is yes but I would like confirmation.

Q2: Without changing the default Policy object supplied by Sun, I would
like to know if the implementation supports adding additional items to the
Domain (signedBy - certificates & codeBase - URL) item? Yes or No?

For instance:

grant signedBy "SunKey", codeBase "http://www.abc.com", newItem "value" {
...
};

I believe the answer is no but I would like confirmation.

Q3: If the answer to Q2 is no does the architecture support the possibility
to achieve the above results by replacing the default Policy object with my
own? Yes or No?

I believe the answer is Yes but I would like confirmation.

If yes then doesn't this also imply I must subclass CodeSource and place my
new data in this class? Which default/system classes are calling
Policy.getPermissions(CodeSource codesource) can I subclass these and/or
replace them to achieve my goals?

Btw can I subclass from a class without the source code - only byte code?

Regards,

Jeff