[rfc][icedtea-web] policytool in itweb-settings

Andrew Azores aazores at redhat.com
Thu Jan 16 07:13:41 PST 2014

On 01/16/2014 10:03 AM, Jiri Vanek wrote:
> On 01/16/2014 03:58 PM, Andrew Azores wrote:
>>>> permissions to the policy, eg "Allow reading user details" would 
>>>> entail granting read permission on
>>>> the user.name and probably user.home together. Or really, I imagine 
>>>> a user that is both advanced
>>>> enough to care about making a custom policy AND needs more control 
>>>> than the coarse-grained
>>>> checkboxes is probably advanced enough to deal with the existing 
>>>> policytool. So we can just leave
>>>> out the Advanced-type settings from the new editor and let those 
>>>> users deal with using the existing
>>>> policytool if they need it. Maybe PolicyPanel could be modified 
>>>> further to allow users to choose
>>>> which editor to launch with an "advanced" checkbox or similar.
> This remianed me:
> You are planing to have "run in 'advacned' sandbox" button next to run 
> i sandbox, which will allow to set permissions before (and for) actual 
> run (with possibility of save eg?) Or did I just imagined it from 
> nothing?!?!?
> J.

Woah, what? This is not what I meant at all :) The dialogs shown at 
applet run time will just have "Ok/Proceed", "Sandbox" (or "Restricted" 
or whatever), and "Cancel". Sandbox/Restricted will run the applet with 
reduced permissions, meaning the Sandbox permission set, union the 
permission set defined in the user policy file (as well as system policy 
file). The Advanced button was just going to be either in itweb-settings 
control panel or in the "mini editor" itself and provide a way to either 
simply show more policy options or to launch JDK policytool, to give 
power users more control over the policy they are editing. I definitely 
am not planning to have two different types of Sandbox button.

It is an interesting idea though to have the dialog present a button for 
policy editing. This would make it very easy for users to find the 
correct codebase for an applet, since we could fill it in for them 
already. I'm not sure if adding yet another button would be very good 
visually though - it might be too much going on on one dialog and become 
confusing. Or, rather than adding a way to launch the policy editor here 
during run time (which sounds a little unsafe to me), we could simply 
add a button to the dialog somewhere to copy the applet codebase to the 
clipboard. Then the user can cancel or sandbox, then later open the 
editor and paste the codebase? Hmm.


Andrew A

More information about the distro-pkg-dev mailing list