Overriding Applet Securities

The Java® 2 Platform provides a mechanism for users to override the security policies normally enforced for applets running from the Java Plug-In. This is done through a "policy file" which grants or denies specific security permissions to an applet. Note: Changing security permissions for an applet may allow malicious or erroneous programs to cause serious damage to your system. It is believed that there is no chance that the GeoSim applets can cause such damage, but we accept no responsibility for any harm that may occur due to information provided in this document.

There are normally two files that the Java Plug-In will look for policy information. The first is lib\security\java.policy located under the subdirectory where the plug-in was installed. This is the global system policy file. Policy changes placed in this file will affect every user on the system.

The second file is .java.policy, and is located in the current user's home directory. This is the user's own policy file. Policy changes placed in this file will affect only the current user. The home directory of the current user, say, user, is usually

C:\Winnt\Profiles\user\ on multi-user Windows NT systems.
C:\Windows\Profiles\user\ on multi-user Windows 95 systems.
C:\Windows\ on single-user Windows 95 systems.

You can edit policy files directly with any standard text editor, or use the Policy Tool that comes with the JDK.

Using the Policy Tool

To create a security policy that enables the GeoSim applets to load and save models and save screen captures using the Policy Tool, simply type

policytool
from the command-line. This will bring up the main window and try to open the user policy file. If you have not already created a user policy file, the Policy Tool will not be able to open it, and will report this as an error. This is not a problem, so simply ignore this error (it will, however, tell you the location of the user policy file, which you may wish to confirm).

Click on the "Add Policy Entry" button. This will bring up a Policy Entry dialog where you can edit the specific permissions allowed for a given applet. The applet being granted the modified permissions is specified in the "CodeBase" field. For example,

http://geosim.cs.vt.edu/geosim/MigModel/MigModel.jar
would grant the specified permissions to the applet located at the URL http://geosim.cs.vt.edu/geosim/MigModel/MigModel.jar. It is important to specify the name of the .jar file the applet is located in, not the web page it is loaded from.

The "CodeBase" field must always be an URL. If you wish to grant permissions to an applet loaded from a local disk, you must still specify the location of the applet as an URL. For example,

file:/C:/Program Files/GeoSim/MigModel/MigModel.jar
would grant the specified permissions to the applet located in the file C:\Program Files\GeoSim\MigModel\MigModel.jar. Note that forward slashes '/' were used instead of backward slashes '\' in the URL.

Permissions may be granted to more than one applet at a time. For example,

http://geosim.cs.vt.edu/geosim/-
would grant the spefied permissions to any applet located at http://geosim.cs.vt.edu/geosim or a subdirectory. Leaving the "CodeBase" field blank would grant the permissions to each and every applet and application run on your system. This is strongly discouraged.

Once you have entered the code base of your applet, you will need to specify which permissions you wish to grant. Simply click on "Add Permission" to add a new permission. Select the permission type, target name, and actions. If what you want does not appear in the list, you can type it in manually. In order to load or save files, the GeoSim applets require the following permissions:

java.io.FilePermission "<<ALL FILES>>", "read";
java.io.FilePermission "<<ALL FILES>>", "write";
java.util.PropertyPermission "user.home", "read";

Now simply save your policy file in one of the two locations defined for your system (described above) where it will be looked for when the plug-in starts. The next time you start the plug-in, the new security policies will be in effect

Manually Editing Policy Files

Policy files are just text files that describe which permissions to grant code loaded from a given location. The general format of a policy file includes a "grant" section for each code base for which new permissions are being granted, like this:
grant codeBase "<code base>" {
  permission <type> "<target>", "<actions>";
  permission <type> "<target>", "<actions>";
  ...
};
See the above section for a description of the <code base>, <type>, <target> and <actions> fields.

There can be as many such sections as you like in a single file. For example, to grant sufficient permissions for all applets located at http://geosim.cs.vt.edu/geosim or a subdirectory to load and save files, add the section

grant codeBase "http://geosim.cs.vt.edu/geosim/-" {
  permission java.io.FilePermission "<<ALL FILES>>", "read";
  permission java.io.FilePermission "<<ALL FILES>>", "write";
  permission java.util.PropertyPermission "user.home", "read";
};


Up: Control Descriptions