The policytool Utility

To permit our EvilEmpire example to make a network connection, we need to create a policy file that contains the appropriate permission. A handy utility called policytool, included with the JDK, helps make policy files. Fire it up from a command line like this:

 C:\> policytool  

You may get an error message when policytool starts up about not finding a default policy file. Don’t worry about this; just click OK to make the message go away. We now add a network permission for the EvilEmpire application. The application is identified by its origin, also called a codebase, described by a URL. In this case, it is a file: URL that points to the location of the EvilEmpire application on your disk. If you started up policytool, you should see its main window, shown in the first figure. Click on Add Policy Entry. Another window pops up, like the one shown in the second figure (but with the fields empty).

First, fill in the codebase with the URL of the directory containing EvilEmpire. Then click on Add Permission. Yet another window pops up as shown in the figure below. Choose SocketPermission from the first combo box. Then fill out the second text field on the right side with the network address that EvilEmpire will connect to. Finally, choose Connect from the third combo box. Click on OK; you should see the new permission in the policy entry window, as shown in the second figure above.

Click on Done to finish creating the policy. Then choose Save As from the File menu and save the policy file as something memorable, such as EvilEmpire.policy. You can quit policytool now; we’re all done with it. The policy file you just created is not complicated. Take a look at it with a text editor, which shows the simple syntax of the policy we created:

 grant codeBase "file:/c:/Projects/Exploring/" {  
 permission java.net.SocketPermission "207.46.131.13", "connect";  
 };  

You can eschew policytool entirely and just create policy files with a text editor if you’re more comfortable that way.