|
Java Permissions .INI Values Reference
Custom Java permissions can be set by specifying a custom permissions .ini file when using the signcode tool's -jp command line option. These .ini files can be generated by hand, or by using the cprmedit and piniedit tools included with the Microsoft SDK for Java. For more information on setting Java permissions with the signcode tool for Microsoft® Internet Explorer 4.01 (and later), see Using Signcode with Java Permission Information.
When using an .ini file to set custom permissions, you set permission variables to values that define the permissions you want. The following table can be used as a reference to help you decide how to set these variables. For each permission, the variables are listed and the meaning of each variable is described.
Variable | Meaning
| Unrestricted | If true, any application can be executed.
| IncludeNames | These applications can be executed.
| ExcludeNames | These applications cannot be executed.
|
Variable | Meaning
| Limit | The maximum number of bytes of data that can be written.
| RoamingFiles | If true, roaming files can be created.
| GlobalExempt | If true, the storage limit is an absolute limit. If false, the limit is also bounded by the global storage limit.
|
Variable | Meaning
| IncludeRead | These files can be read.
| ExcludeRead | These files cannot be read.
| IncludeWrite | These files can be written to.
| ExcludeWrite | These files cannot be written to.
| IncludeDelete | These files can be deleted.
| ExcludeDelete | These files cannot be deleted.
| ReadFileURLCodeBase | If true, classes that have this permission will have read access to the directory that they were loaded from if that location is a file://URL.
|
No specific settings are required.
Variable | Meaning
| IncludeConnectIPs | General communication with the hosts at these IP addresses is allowed.
| ExcludeConnectIPs | General communication with the hosts at these IP addresses is not allowed.
| IncludeBindIPs | Listening for connections on these local IP addresses is allowed.
| ExcludeBindIPs | Listening for connections on these local IP addresses is not allowed.
| IncludeMulticastIPs | The multicast groups specified by these IP addresses can be joined.
| ExcludeMulticastIPs | The multicast groups specified by these IP addresses cannot be joined.
| IncludeConnectHosts | General communication with these hosts is allowed.
| ExcludeConnectHosts | General communication with these hosts is not allowed.
| IncludeBindHosts | Listening for connections with these hosts is allowed.
| ExcludeBindHosts | Listening for connections with these hosts is not allowed.
| IncludeMulticastHosts | The multicast groups specified by these hosts can be joined.
| ExcludeMulticastHosts | The multicast groups specified by these hosts cannot be joined.
| IncludeConnectGlobalPorts | General communication with allowed hosts or IP addresses using the specified ports is allowed.
| ExcludeConnectGlobalPorts | General communication with allowed hosts or IP addresses using the specified ports is not allowed.
| IncludeBindGlobalPorts | Listening for connections with allowed hosts on the local IP addresses using the specified ports is allowed.
| ExcludeBindGlobalPorts | Listening for connections with allowed hosts on the local IP addresses using the specified ports is not allowed.
| ConnectToFileURLCodebase | If true, connection permissions are adjusted so that general communication is allowed with the location that the class with this permission is loaded from if that location is a file://URL/codebase.
| ConnectToNonFileURLCodebase | If true, connection permissions are adjusted so that general communication is allowed with the location that the class with this permission is loaded from if that location is a non-file://URL/codebase.
|
No specific settings are required.
Variable | Meaning
| Unrestricted | If true, any system property can be accessed.
| AllowedSuffixes | These suffixes indicate system properties that could be accessed based on the following rule: If suffix "x" is listed, you have access to a system property "y" if a second system property named "y.x" exists that is set to true.
| IncludedProperties | System properties represented by these WildcardExpressions can be accessed.
| ExcludedProperties | System properties represented by these WildcardExpressions cannot be accessed.
|
Variable | Meaning
| PublicSame | If true, access is allowed to public members of any class loaded by the same loader as the class initiating the reflection operation.
| PublicDifferent | If true, access is allowed to public members of a non-system class loaded by a different loader than the class initiating the reflection operation.
| PublicSystem | If true, access is allowed to public members of any system class.
| DeclaredSame | If true, access is allowed to any member of any class loaded by the same loader as the class initiating the reflection operation.
| DeclaredDifferent | If true, access is allowed to any member of a non-system class loaded by a different loader than the class initiating the reflection operation.
| DeclaredSystem | If true, access is allowed to any member of any system class.
|
Variable | Meaning
| IncludeOpen | These keys can be opened.
| ExcludeOpen | These keys cannot be opened.
| IncludeRead | These keys/values can be read.
| ExcludeRead | These keys/values cannot be read.
| IncludeWrite | These keys/values can be modified.
| ExcludeWrite | These keys/values cannot be modified.
| IncludeDelete | These keys/values can be deleted.
| ExcludeDelete | These keys/values cannot be deleted.
| IncludeCreate | These keys/values can be created.
| ExcludeCreate | These keys/values cannot be created.
|
No specific settings are required.
Variable | Meaning
| SetSysIn | If true, the system stream java.lang.System.in can be set.
| SetSysOut | If true, the system stream java.lang.System.out can be set.
| SetSysErr | If true, the system stream java.lang.System.err can be set.
|
Variable | Meaning
| AllThreadGroups | If true, all thread groups can be accessed.
| AllThreads | If true, all threads can be accessed.
|
Variable | Meaning
| ClipboardAccess | If true, the system clipboard can be accessed.
| TopLevelWindows | If true, top-level windows can be created.
| NoWarningBanners | If true, top-level windows do not require warning banners.
| FileDialogs | If true, file dialog boxes can be created.
| EventQueueAccess | If true, the AWT event queue can be accessed.
|
Variable | Meaning
| CanRead | If true, user-directed read operations are allowed.
| CanWrite | If true, user-directed write operations are allowed.
|
|