P3
It is possible to grant some applet permissions using grant signedBy
if the certificate which was used to sign the applet is being stored in
a keystore on disk. However, if the browser keystore of IE is being
used, then this does not work.
keystore "somecerts","jks";
grant signedBy "someone", codebase "https://somepath/someapplet.jar"
{
permission java.io.FilePermission "<<ALL FILES>>", "read,execute,write";
permission java.util.PropertyPermission "user.home", "read";
};
AFAIK the browser keystore, unlike standard keystores, doesn't feature aliases.
Hence it could well be that the above is simply impossible.
-------------------------------------------------------------------------------
http://java.sun.com/docs/books/tutorial/security/toolsign/wstep3.html
To grant code signed by |susan| permission to read any files in the |C:\TestData|
directory, you need to create a policy entry granting this permission. Note
that "Code signed by |susan|" is an abbreviated way of saying "Code in a
class file contained in a JAR file, where the JAR file was signed using the
private key corresponding to the public key that appears in a keystore
certificate in an entry aliased by |susan|."
-------------------------------------------------------------------------------
If the above was true then this would be merely a bug against the documentation:
http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/keystores.html
-------------------------------------------------------------------------------
Overview
Java Plug-in and Java Web Start support browser keystore in Internet Explorer and Mozilla; certificates and keys in browser keystores are used for the following purpose:
* Signature signing verification
* HTTPS server authentication
* HTTPS client authentication
-------------------------------------------------------------------------------
if the certificate which was used to sign the applet is being stored in
a keystore on disk. However, if the browser keystore of IE is being
used, then this does not work.
keystore "somecerts","jks";
grant signedBy "someone", codebase "https://somepath/someapplet.jar"
{
permission java.io.FilePermission "<<ALL FILES>>", "read,execute,write";
permission java.util.PropertyPermission "user.home", "read";
};
AFAIK the browser keystore, unlike standard keystores, doesn't feature aliases.
Hence it could well be that the above is simply impossible.
-------------------------------------------------------------------------------
http://java.sun.com/docs/books/tutorial/security/toolsign/wstep3.html
To grant code signed by |susan| permission to read any files in the |C:\TestData|
directory, you need to create a policy entry granting this permission. Note
that "Code signed by |susan|" is an abbreviated way of saying "Code in a
class file contained in a JAR file, where the JAR file was signed using the
private key corresponding to the public key that appears in a keystore
certificate in an entry aliased by |susan|."
-------------------------------------------------------------------------------
If the above was true then this would be merely a bug against the documentation:
http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/keystores.html
-------------------------------------------------------------------------------
Overview
Java Plug-in and Java Web Start support browser keystore in Internet Explorer and Mozilla; certificates and keys in browser keystores are used for the following purpose:
* Signature signing verification
* HTTPS server authentication
* HTTPS client authentication
-------------------------------------------------------------------------------
- relates to
-
JDK-6495732 Policy keystore recursion problem loading SunMSCAPI provider
-
- Closed
-