[rfc][icedtea-web] policytool in itweb-settings

Andrew Azores aazores at redhat.com
Thu Jan 16 07:19:55 PST 2014

On 01/16/2014 10:15 AM, Jiri Vanek wrote:
> On 01/16/2014 04:13 PM, Andrew Azores wrote:
>> On 01/16/2014 10:03 AM, Jiri Vanek wrote:
>>> On 01/16/2014 03:58 PM, Andrew Azores wrote:
>>>>>> permissions to the policy, eg "Allow reading user details" would 
>>>>>> entail granting read
>>>>>> permission on
>>>>>> the user.name and probably user.home together. Or really, I 
>>>>>> imagine a user that is both advanced
>>>>>> enough to care about making a custom policy AND needs more 
>>>>>> control than the coarse-grained
>>>>>> checkboxes is probably advanced enough to deal with the existing 
>>>>>> policytool. So we can just leave
>>>>>> out the Advanced-type settings from the new editor and let those 
>>>>>> users deal with using the
>>>>>> existing
>>>>>> policytool if they need it. Maybe PolicyPanel could be modified 
>>>>>> further to allow users to choose
>>>>>> which editor to launch with an "advanced" checkbox or similar.
>>> This remianed me:
>>> You are planing to have "run in 'advacned' sandbox" button next to 
>>> run i sandbox, which will allow
>>> to set permissions before (and for) actual run (with possibility of 
>>> save eg?) Or did I just
>>> imagined it from nothing?!?!?
>>> J.
>> Woah, what? This is not what I meant at all :) The dialogs shown at 
>> applet run time will just have
>> "Ok/Proceed", "Sandbox" (or "Restricted" or whatever), and "Cancel". 
>> Sandbox/Restricted will run the
>> applet with reduced permissions, meaning the Sandbox permission set, 
>> union the permission set
>> defined in the user policy file (as well as system policy file). The 
>> Advanced button was just going
>> to be either in itweb-settings control panel or in the "mini editor" 
>> itself and provide a way to
>> either simply show more policy options or to launch JDK policytool, 
>> to give power users more control
>> over the policy they are editing. I definitely am not planning to 
>> have two different types of
>> Sandbox button.
>> It is an interesting idea though to have the dialog present a button 
>> for policy editing. This would
>> make it very easy for users to find the correct codebase for an 
>> applet, since we could fill it in
>> for them already. I'm not sure if adding yet another button would be 
>> very good visually though - it
>> might be too much going on on one dialog and become confusing. Or, 
>> rather than adding a way to
>> launch the policy editor here during run time (which sounds a little 
>> unsafe to me), we could simply
>> add a button to the dialog somewhere to copy the applet codebase to 
>> the clipboard. Then the user can
>> cancel or sandbox, then later open the editor and paste the codebase? 
>> Hmm.
> :))) +1 for me on this topic (although it seems to me that I was 
> probably dreaming... :D)
> But as another (much another) chnageset. The current policy patch is 
> so simple taht I really wont to in 1.4
>> Thanks,

Yes, I agree that a lot of what we're discussing here should be in a 
later changeset. The feature already stands on its own and the rest are 
just essentially accessibility enhancements.


Andrew A

More information about the distro-pkg-dev mailing list