ExecPermission
The ExecPermission
class represents permission for
rmid
to execute a specific command to launch an
activation group.
Syntax
The name of an ExecPermission
is the path name of a
command to grant rmid
permission to execute. A path name
that ends in "\*" indicates all the files contained in that directory
(where "\" is the file-separator character,
File.separatorChar
). A path name that ends with "\-"
indicates all files and subdirectories contained in that directory
(recursively). A path name consisting of the special token
"<<ALL FILES>>" matches any file.
Note: A path name consisting of a single "*" indicates all the files
in the current directory, while a path name consisting of a single "-"
indicates all the files in the current directory and
(recursively) all files and subdirectories contained in the current
directory.
ExecOptionPermission
The ExecOptionPermission
class represents permission for
rmid
to use a specific command-line option when
launching an activation group. The name of an
ExecOptionPermission
is the value of a command line
option.
Syntax
Options support a limited wildcard scheme. An asterisk signifies a
wildcard match, and it may appear as the option name itself (i.e., it
matches any option), or an asterisk may appear at the end of the
option name only if the asterisk follows either a "." or "=".
For
example: "*" or "-Dfoo.*" or "-Da.b.c=*" is valid, "*foo" or "-Da*b"
or "ab*" is not.
Policy file for rmid
When granting rmid
permission to execute various commands and
options, the permissions ExecPermission
and
ExecOptionPermission
need to be granted universally (i.e.,
granted to all code sources). It is safe to grant these permissions
universally because only rmid
checks these permissions.
An example policy file that grants various execute permissions to
rmid
is:
grant {
permission com.sun.rmi.rmid.ExecPermission
"c:\\files\\apps\\java\\jdk1.2.2\\win32\\bin\\java";
permission com.sun.rmi.rmid.ExecPermission
"c:\\files\\apps\\java\\jdk1.2.2\\win32\\bin\\java_g";
permission com.sun.rmi.rmid.ExecPermission
"c:\\files\\apps\\rmidcmds\\*";
permission com.sun.rmi.rmid.ExecOptionPermission
"-Djava.security.policy=c:\\files\\policies\\group.policy";
permission com.sun.rmi.rmid.ExecOptionPermission
"-Djava.security.debug=*";
permission com.sun.rmi.rmid.ExecOptionPermission
"-Dsun.rmi.*";
};
The first two permissions granted allow rmid
to execute
the 1.2.2 version of the java
and java_g
commands, specified by their explicit path names. Note that by default,
the version of the java
command found in
java.home
is used (the same one that rmid
uses), and does not need to be specified in the policy file. The third
permission allows rmid
to execute any command in the
directory c:\files\apps\rmidcmds\
.
The fourth permission granted, an ExecOptionPermission
,
allows rmid
to launch an activation group that defines the
security policy file to be
c:\files\policies\group.policy
. The next permission
allows the java.security.debug
property to be used by an
activation group. The last permission allows any property in the
sun.rmi
property name hierarchy to be used by activation
groups.
To start rmid
with a policy file, the
java.security.policy
property needs to be specified on
rmid
's command line, for example: