Permissions framework
Permissions are used to protect access to APIs or functions that require authorization before they can be used. A MIDlet suite has to request permissions declaratively using the following attributes either in the application descriptor or in the manifest file:
MIDlet-Permissions
MIDlet-Permissions contains permissions that are critical for the suite's functionality
MIDlet-Permissions-Opt
MIDlet-Permissions-Opt indicates desired permissions, which are not so fundamental for the core functionality
For example, for an application's functionality it is critical to make HTTP connections to work. It may also use HTTPS connections for improved security, but it is not so vital. In this case, the application descriptor could look like this:
MIDlet-Permissions: javax.microedition.io.Connector.http MIDlet-Permissions-Opt: javax.microedition.io.Connector.https
Note: MIDlet suites with misspelled permissions will make the installation fail.
Function groups
Instead of making the user manage each individual permission requested
by a MIDlet suite, permissions can be grouped by functionality in Function
Groups. The user will then give permissions to Function Groups, for example
the "Net Access" Function Group when using network features, rather than explicitly
for the javax.microedition.io.Connector.http permission.
Using a higher-level concept like Function Groups instead of single permissions
is better suited for user interaction in small devices.
The MIDP 2.0 and JTWI specifications have defined the following Function Groups:
Phone Call (available only in S60)
Permissions related to any function that results in a phone call.
Net Access
Contains permissions related to network data connections.
Messaging
Set of permissions related to sending or receiving messages like SMS.
Auto Invocation
Permissions related to automatically starting a MIDlet, for example by Push Registration.
Local Connectivity
Permissions related to connection via local ports like IrDA or Bluetooth.
Multimedia Recording
Permissions that allow to record images, audio, video, and so on.
Read User Data
Set of permissions to read user data, such as phone book or calendar entries
Write User Data
Permissions related to writing user data.
The availability of these Function Groups depends on the device's capabilities. For instance, "Multimedia Recording" would not be available for devices without media capturing facilities or for those where the Media API is not available.
Function Groups also determine which interaction modes are available for the trusted and untrusted domains. For example, in the untrusted domain, "Net Access" can be set as session or denied, with blanket being disabled. On the other hand in the trusted domain, oneshot, blanket, and denied are allowed.
In addition of the above, Function Groups contain exclusion rules to forbid some combinations of permissions that are not allowed simultaneously. For instance, it would not be desirable to have blanket permission for "Net Access" and "Auto Invocation" at the same time. If this were the case, a MIDlet would set itself for periodical restart and make network connections without user permission, creating unsolicited charges for the user.
An example of Function Groups usage can be seen in S60 screen shots shown in the figure below. They show the "Network Access" Function Group found in the Application Manager application. The screen shot on the left is for an unsigned MIDlet suite, and the one on the right is for the same MIDlet signed with a Verisign certificate. Clearly the difference is that with the signed MIDlet the user can allow the MIDlet to open network connections without user's prompts.
