From: Charlie Lai <charlie@angeles.eng.sun.com>
Message-Id: <199908121930.MAA19011@angeles.eng.sun.com>
Subject: Re: RMI Permissions with applets
To: cbennett@steelcase.com
Date: Thu, 12 Aug 1999 12:30:57 -0800 (PDT)
In-Reply-To: <19990812030713.2442.qmail@hotmail.com> from "Chris Bennett" at Aug 11, 99 08:07:12 pm
> I have an excellent working RMI (3 tier) app on a corporate intranet with IE
> 4 and the Java plug-in. My problem is that I have had to modify each new
> client's policy file. I have hundreds of clients. Am I missing something
> or is this really the correct way to allow permissions??? Is there a way to
> prompt the user for permission and have the policy file automatically
> created / modified???
there are two potential solutions:
First, in JDK 1.2.2:
http://developer.java.sun.com/developer/earlyAccess/j2sdk122/index.html
we have added the following new features to the Plug-in, which
will allow you to grant all permissions to an applet whose
signature has been verified and authenticated, without you having to
set up any policy/keystore files:
If your applet is signed, and the permissions granted to it
do not include the "usePolicy" RuntimePermission (note that
this permission is not granted by default),
we will verify the entire applet certificate chain.
Verification will go all the way up to the Root CA of the chain
and check if that Root CA is contained in
your browser's (native) database of trusted Root CAs.
If so, the user will be prompted if they want to grant the special
"AllPermission" (which implies every other single permission)
to the applet. In this case, the policy will be bypassed
altogether (binary policy decision).
Alternatively, you can modify all your client JRE's
lib/security/java.security files, and point them at a single policy URL.
The java.security file has an entry:
policy.url.1=URL
'URL' is the URL for the policy.
If all your clients share the same policy, you can point them
at the same URL. By default there may already be multiple
policy.url entries. If appropriate, you may remove the extra
entries.
Hope this helps.
thanks,
charlie