Working with MS VM
 In this topic

*Overview

*Using CPrmEdit

*Editing Permission Sets

 

Tools    PreviousToolsNext
Custom Permission Editor     Previous Tools Next

 

Overview

The cprmedit tool enables you to edit Java permissions for specific security zones using a graphical user interface. The permissions set by cprmedit are recognized by Microsoft® Internet Explorer 4.0 and later. The user interface presented by the cprmedit tool is similar to the dialog boxes in Internet Explorer 4.01 that enable administrators to set security options.


Using CPrmEdit

To run the Custom Permission Editor, type cprmedit on the command line. The Custom Permission Editor dialog box will appear. To edit the permissions for a particular zone, choose one of the zones listed in the drop-down list box. For each zone, there are three sets of permissions that you can edit.

Permission SetDescription
Unsigned PermissionsPermissions that are granted to unsigned content.
Trusted Signed Permissions Permissions (requested by signed content) that do not require user approval.
Untrusted Signed Permissions Permissions (requested by signed content) that require user approval or permissions that are absolutely denied.

Each permission set has its own area in the dialog box, and each area contains check boxes and buttons that are used to define the group. The following paragraphs explain how you can use these check boxes and buttons to define a permission set.

Unsigned Permissions

When editing Unsigned Permissions, you can select the "Unsigned content is fully trusted" check box to give all permissions to unsigned content. However, this setting is not recommended because damaging content could be run on your computer. If you do not select this check box, you can select the Edit button to specify a set of permissions to give to unsigned content.

Trusted Signed Permissions

Similarly, for Trusted Signed Permissions, you can select the "Grant all permissions requested by signed content" check box to give signed content all requested permissions. (This setting is not recommended either.) If you do not choose this check box, you can select the Edit button to specify a set of permissions to give to the Trusted Signed Permissions group.

Untrusted Signed Permissions

When editing the Untrusted Signed Permissions group, you must choose a radio button to indicate whether the group of untrusted signed permissions is a group that causes the user to be queried or causes the signed content to be refused. The following table explains the meaning of the two buttons.

Button NameDescription
Ask for approval of untrusted permissions Indicates that if the content is signed and the requested permission set is not a subset of the Trusted Signed Permissions group and the requested permission set is a subset of the Untrusted Signed Permissions set, then the user will be queried. Signed content requesting any other permission set that is not a subset of the Trusted Signed Permission set is automatically refused.
Refuse untrusted permissions without asking Indicates that if the content is signed and the requested permission set is not a subset of the Trusted Signed Permissions group, then if the requested permission set is a subset of the Untrusted Signed Permissions group, the content is automatically refused. The user is queried if any other permission set is requested.

If you choose the "Apply to all permissions not specifically allowed" check box, all permissions are included in the Untrusted Signed Permissions group. Any permission set that is not a subset of the Trusted Signed Permissions group will be queried or denied based on the setting of the radio button. Specifically, one of the following results will occur, depending on which radio button you selected.

Button SelectedResult
Ask for approval of untrusted permissionsThe user will be queried about all signed content that requests a permission that is not in the Trusted Signed Permissions group
Refuse untrusted permissions without asking Signed content will be automatically refused if a requested permission is not in the Trusted Signed Permissions group

If you do not select the "Apply to all permissions not specifically allowed" check box, you can select the Edit button to specify a set of permissions to give to the Untrusted Signed Permissions group.


Editing Permission Sets

To edit a set of permissions, select the Edit button in the area designated for the permission set you are interested in. The Edit Custom Permissions dialog box appears. There are seven tabs on this box, each of which indicates permissions that can be edited.

Tab NamePermission Description
FileThe ability to read, write, or delete files.
RegistryThe ability to read, write, delete, create, or open keys in the registry.
NetworkThe ability to connect or bind to various hosts or ports on the network.
Client ServicesThe ability to access client storage, perform user-directed file I/O, access user interface functionality, print, use multimedia libraries, and access security classes.
SystemThe ability to run programs, access system properties, manipulate threads, and redirect system streams.
ReflectionThe ability to access public or declared members of a class, based on the class loader.
CustomThe ability to use a non-system permission designed by the user.

Choose the tab for the permission that you want to edit.

To edit a permission, Select the access types from the drop-down list boxes and fill in the text boxes to indicate parameters for the permission. For File, Registry, and Network permissions as well as property and execution permissions under the System tab, you can use the asterisk (*) and the question mark (?) as wildcard characters in any text box. For property and execution permissions, you can use the semicolon (;) as a delimiter.

You can use the Medium, High, or Clear button to set all the permissions in the set to a Medium security setting, High security setting, or to clear the permission settings, respectively. Be aware that using the Medium, High, or Clear button affects all of the permissions, not just the currently selected Tab. Any previous edits to the permissions will be erased and reset to Medium, High, or Clear. You can navigate between permissions by selecting the Tab buttons.

When you have finished editing a set of permissions, select OK. This returns you to the Custom Permission Editor dialog box. You can edit another permission group if you want to. To save the chosen settings but continue to edit other permission settings, select the Apply button. To save the settings you have chosen and close the dialog box, select OK. To quit without saving your settings, select the Cancel button.

The following reference section lists each permission tab and explains in further detail how to edit the permissions under that tab.

File

Select the access type that you want to edit from the drop-down list box. This can be Read, Write, or Delete. To add file that you want to include, in the Include files text box, enter the name of the file (or a pattern that uses * and/or ?). Then select the Add button. For example, if you want to add read permission for all files ending in .doc, you would select Read from the drop-down list box, type *.doc in the Include files text box, and then select the Add button.

To add a file that you want to exclude, in the Exclude files text box, enter the name of the file (or a pattern that uses * and/or ?). Then select the Add button.

To remove a file, select the name of the file from the included or the excluded file list, and then select the Remove button.

Repeat this process until you have added or removed the appropriate included or excluded files from the access types.

Registry

Select the access type from the drop-down list box. This can be either Read, Write, Delete, Create, or Open. To add a key that you want to include, enter the name of the key (or a pattern that uses * and/or ?) in the Include keys text box. Select the Add button.

To add a key that you want to exclude, enter the name of the key (or a pattern that uses * and/or ?) in the Exclude keys text box. Select the Add button.

To remove a key, select the name of the key from the included or the excluded key list, and then select the Remove button.

Repeat this process until you have added or removed the appropriate included or excluded keys from the access types.

Network

Select the access type from the drop-down list box. This can be either Connect, Bind, Multicast, or Global Ports.

To add a host to include, enter the name or the IP address in the host text box. You can specify a list of single ports, port ranges, or both by entering them in the Include Ports text box, separated by commas. For example, 27-80, 95, 100-102 would be a valid list of ports. With the Multicast access type, you can only specify the host. If you have chosen the Global Ports access type, you can only specify the ports, not the host. Select the Add button.

To add a host to exclude, enter the host name or the IP address in the Exclude host text box. You can enter the list of ports and port ranges in the Exclude Ports text box, separated by commas. Select the Add button.

To remove a host or port, select the name of the host or port from the included or excluded list, and then select the Remove button.

Repeat this process until you have added or removed the appropriate included or excluded hosts or ports from the access types.

Client Services

Client Storage

To modify the amount of storage allowed for client storage, you can enter a new number of kilobytes in the "Storage Limit" check box.

To make client storage exempt from global storage limits, select the "Exempt from global storage limit" check box. To allow access to roaming files, select the "Access to roaming files" check box.

Miscellaneous

You can allow or deny access to printing services by selecting or clearing the "Access to printing services" check box.

You can allow or deny access to multimedia libraries by selecting or clearing the "Access to multimedia libraries" check box.

You can allow or deny access to security classes by selecting or clearing the "Access to security classes" check box.

User Directed File I/O

To allow or deny user-directed read access to files, select or clear the "Read access" check box.

To allow or deny user-directed write access to files, select or clear the "Write access" check box.

User Interface Restrictions

To allow or deny the creation of file dialog boxes, select or clear the "Create file dialogs" check box.

To allow or deny the creation of top-level windows, select or clear the "Create top level windows" check box. If you allow top-level window creation, you can enable or disable the applet warning banner by clearing or selecting the "Turn off applet warning banner" check box.

To allow or deny access to the Clipboard, select or clear the "Clipboard access" check box.

System

System Property Access

To allow access to specific system properties, enter the name of the property or properties (or a pattern that uses an asterisk (*) or a question mark (?)) in the Include properties text box, separating property names with semicolons (;).

To deny access to specific system properties, enter the name of the property or properties (or a pattern that uses an asterisk (*) or a question mark (?)) in the Exclude properties text box, separating property names with semicolons (;).

To allow access to properties that are described by a particular suffix, enter the suffix in the Suffixes text box. For instance, entering the "applet" suffix would allow access to a system property "X" if the system property "X.applet" exists and is set to true.

To allow or deny unrestricted access to system properties, select or clear the "Unrestricted Access" check box.

Thread Access

To allow or deny access to Thread objects, select or clear the "Thread objects" check box.

To allow or deny access to Thread group objects, select or clear the "Thread group objects" check box.

Execution Access

To allow specific files to be executed, enter the name of the file in the Include text box. You can use the asterisk (*) or the question mark to indicate a pattern. For instance, you could allow all files beginning with "my" to be executed by entering my* in the text box. Similarly, you could allow all files that have "j" as the second character to be executed by entering ?j* in the text box.

To deny the right to execute specific files, enter the name of the file in the Exclude text box.

To allow or deny the right for all applications to be executed, select or clear the "Unrestricted execution of applications" check box.

System Stream Redirection Access

To allow or deny the ability to redirect the standard system input stream, System.in, select or clear the "Standard input stream" check box.

To allow or deny the ability to redirect the standard system output stream, System.out, select or clear the "Standard output stream" check box.

To allow or deny the ability to redirect the standard system error stream, System.err, select or clear the "Standard error stream" check box.

Reflection

Public Member Reflection

To allow or deny access to public members of classes loaded by the same class loader, select or clear the "Same loader" check box.

To allow or deny access to public members of classes loaded by a different class loader, select or clear the "Different loader" check box.

To allow or deny access to public members of classes loaded by a system loader, select or clear the "System loader" check box.

Declared Member Reflection

(A declared member is any member of a class.)

To allow or deny access to declared members of classes loaded by the same class loader, select or clear the "Same loader" check box.

To allow or deny access to declared members of classes loaded by a different class loader, select or clear the "Different loader" check box.

To allow or deny access to declared members of classes loaded by a system loader, select or clear the "System loader" check box.

Custom

To add a parameter to a Custom permission (a non-system permission), enter the name of the permission class in the Class name text box. Then enter the parameter in the Parameters text box. Select the Add button.

To remove a parameter from a Custom permission, enter the name of the permission class in the Class name text box. Then enter the parameter in the Parameters text box. Select the Remove button.

The class must be on the class path, or it will not be found. In addition, the class should support the EncodeFormats.TEXT encoding if it requires parameters and needs to support the Custom Permission Editor.


Note: If you edit a custom permission class that does not have the thread permission, the Custom Permissions Editor will add the thread permission so that unrestricted access to threads and thread groups is denied.

Note: When using a character such as an asterisk, a question mark, or a semicolon as a literal in expressions, you must enclose the entire expression in double quotes and precede the character with a backslash when it is used as a literal. You must also precede each literal backslash with a backslash. For example, if you want to specify all file names in the c:\windows\ directory whose second character is an asterisk (*), you would enter the following, including the double quotes: "c:\\windows\\?\**" .


For more information on security for the Microsoft VM for Java, see the Trust-Based Security for Java article, the com.ms.security package, and the com.ms.security.permissions package.

Top © 1998 Microsoft Corporation. All rights reserved. Terms of use.