In addition, there is a user−specific policy file called .java.policy that may exist in each users home directory HOME on UNIX systems, C:\WINDOWS on single−user Windows 98 systems, and so on. The set of permissions given to a program is the union of permissions contained in the global and user−specific policy files. Policy files are simple text files. You can administer them with policytool , or you can edit them by hand. Hand editing is discouraged in 1.3, policytool writes a warning at the top of the file not to edit it by hand, but real programmers still edit them by hand. Policy files are also used with JAAS, in which case their syntax changes slightly and you must edit them by hand at least until 1.4, when JAAS becomes integrated with the SDK. So first, well see how they look, and then well look at how they are created with policytool . Heres how a typical policy file might look: keystore {user.home}{}.keystore; Grant these permissions to code loaded from OReilly, regardless of whether the code is signed. grant codeBase http:www.oreilly.com { permission java.io.FilePermission tmp, read; permission java.lang.RuntimePermission queuePrintJob; }; Grant these permissions to code loaded from Sun but only if it is signed by sdo. grant signedBy sdo, codeBase http:www.sun.com { permission java.security.AllPermission; }; Grant these permissions to code signed by jra, no matter where it was loaded from grant signedBy jra { permission java.net.SocketPermission :1024−, accept, connect, listen, resolve; }; Grant these permissions to any code, no matter where it came from or whether it is signed grant { permission java.util.PropertyPermission java.version, read; }; Note how the policy file combines all the elements of the sandbox: the code sources the combination of signedBy and codeBase elements are associated with various permissions to create protection domains; the entire file is subject to the given keystore. The first line of this example tells the virtual machine to consult the keystore in the file HOME.keystore when it needs to check the certificates of entities that have signed code. The next four blocks of text define protection domains: code that is loaded from OReillys web site has permission to read files in tmp and to start a print job; code that is signed by sdo and loaded from Suns web site has permission to do anything it wants to; code that is signed by jra is able to operate on any nonprivileged socket; and all code is allowed to read the java.vendor system property. In each of these blocks, the syntax is the same: the word grant is followed by a code source and then a set of permissions enclosed by braces. The code source is composed of a codebase and a signer, either of which may be blank.