Java Reference
In-Depth Information
Protection Domains
MIDlet suites belong to
protection domains
that determine which permissions are granted,
which are denied, and which ones must be deferred to the user's judgment. A protection
domain is kind of like a secret club and comprises two parts:
1.
The set of permissions that are allowed and those for which the user must be consulted
2.
The rules for how a MIDlet suite can get into this protection domain
A very simple protection domain, “SimplePD,” might contain the permission
javax.microedition.io.Connector.http
. The rules for membership in SimplePD could be
something as simple as verifying the origin IP address of the MIDlet suite. For example, if the
MIDlet suite is downloaded from
www.bigcarrier.com
, then the application management soft-
ware on the device would know to place the MIDlet suite in the SimplePD protection domain.
At runtime, any MIDlet that tries to make an HTTP connection will be granted the permission.
Attempts to make other connection types will be denied.
The simple IP-origin criterion for SimplePD is pretty weak. MIDlet suites in SimplePD are
susceptible to many attacks, including data modification, data replacement, man-in-the-middle
attacks, and DNS spoofing. More robust rules are based on cryptographic solutions for data
integrity and authentication. In the MIDP 2.0 specification, the section “Trusted MIDlet Suites
Using X.509 PKI” describes one such scheme, including additional manifest attributes.
MIDlet suites whose contents and origin cannot be verified are placed in a kind of default
protection domain, the
untrusted
domain. The only restriction placed on the untrusted domain
is that, given explicit confirmation from the user, it must allow MIDlets access to HTTP and
HTTPS connections.
The concept of protection domains is deliberately vague, leaving MIDP vendors with
considerable latitude in their implementation. Our guess is that many implementations will
choose to have a single untrusted domain and a single trusted domain, with entry to the trusted
domain limited to cryptographically signed (and verified) MIDlet suites.
Permission Types
The protection domain contains the permissions that will be granted to MIDlets (
allowed
permissions) as well as the permissions for which the user must be consulted (
user
permissions).
There are several varieties of user permissions.
Blanket
means that the user is only required to
grant or deny the permission once for a MIDlet suite.
Session
means that the user must grant or
deny permission once per invocation of a MIDlet suite. Finally,
oneshot
indicates that the user
must be consulted each time the necessary permission is needed.
Permissions in MIDlet Suite Descriptors
There are additional attributes for MIDlet suite descriptors. If your MIDlet suite absolutely,
positively needs certain permissions, use the
MIDlet-Permissions
attribute. For example, if
your MIDlet suite needs to make HTTP connections to function correctly, you would have a
line in your descriptor file like this:
MIDlet-Permissions: javax.microedition.io.Connector.http
Search WWH ::
Custom Search