Name: bsC130419 Date: 08/21/2001


java version "1.3.1"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.1-b24)
Java HotSpot(TM) Client VM (build 1.3.1-b24, mixed mode)

The <security> tag in the JNLP file only gives the option for "all-
permissions". It would often be more appropriate to request more fine-grained
permission. For example, I cannot instantiate an ORB without all-permissions
because the (Sun) ORB implementation wants to read the System properties and/or
the ORB.properties file on the user's hard disk.

Given the fine-grained nature of the policy files, it seems logical that a Web
Start application could list the permissions it will require and have the user
agree to those, without the blanket all-permissions option. I guess the XML
implementation thought ahead on this but provided only the most simplistic
case.

It's the same as the problem with signed applets. Having gone to the trouble of
implementing fine-grained permission, you only provide an all-or-none option.
Please consider fixing this. I can see that it's not trivial but it would be a
real boost for Web Start.
(Review ID: 130363)
======================================================================