Security settings

The File API security model implemented in Java Platform for S60 is based on JSR-248 (MSA) specification 1.00 security requirements, MIDP 2.1 Recommended Security Policy, security policy of the JTWI specification, and JSR-75 addendum for the security of FileConnection API.

For S60, the table below lists the access rights of MIDlets belonging to different MIDP access domains:

Table 3: Access rights of access domains in S60

Category

Manufacturer

Operator

Identified third party

Unidentified third party

System files and directories

Yes

No

No

No

Private user files and directories

Yes

No

No

No

Designated public directories and files therein

Yes

Yes

Yes

Yes

“Designed public directories and files therein” means all directories defined by File API System properties and the whole file system of memory cards and hard drive except for system/ and private/ directories.

Directory and file access restrictions

File API also contains the “restricted access to the directory” concept. This is needed if a user starts to navigate, for example, from root to c:/data/Images/ directory (the fileconn.dir.photos property points to that directory). The user has only a restricted access to the c:/ root and c:/data/ directory. This means that the user has only read access rights to the data/ directory. The list() operation returns only those directories/files to where the user has access.

The user can create/modify/delete files and sub-directories under the c:/data/Images/ directory, but cannot change the name of the c:/data/Images/ directory. This restriction concerns all directories that are pointed to by a File API system property.

In S60, access to *.jar and *.jad files are forbidden for other access domains except Manufacturer.

User settings

File API implementations in Java Platform for S60 allow users to accept MIDlet access rights by using the function groups Read User Data Access and Write User Data Access. These two function groups are defined in MIDP 2.0 Recommended Security Policy. The Read User Data Access group represents permissions to any function that gives a MIDlet suite the ability to read any data in a file or directory. The Write User Data Access group represents permissions to any function that gives a MIDlet suite the ability to add or modify any data in a file or directory.

For identified third party and unidentified third party MIDlets, the user settings are defined according to the table below.

Table 4: User settings for Read User Data Access and Write User Data Access function groups

Function group

Identified third party domain

Unidentified third party domain

Read User Data Access

Default setting Allowed: Oneshot

Settings: Session, Blanket, Oneshot, No

Default setting: Oneshot

Allowed settings: Oneshot, No

Write User Data Access

Default setting Allowed: Oneshot

Settings: Session, Blanket, Oneshot, No

Default setting: Oneshot

Allowed settings: Oneshot, No

Note: MIDlets belonging to the Manufacturer or the Operator domains always have rights to Read User Data and Write User Data (blanket permission).

The explanations for the table values are as follows:

  • “Blanket” is valid for every invocation of an API by a MIDlet suite until it is uninstalled or the permission is changed by the user.

  • “Session” is valid from the invocation of a MIDlet suite until it terminates. “Session” mode MUST prompt the user on or before the first invocation of the API or function, which is protected. When the user re-invokes the MIDlet suite the prompt MUST be repeated.

  • “Oneshot” MUST prompt the user on each invocation of the API or function, which is protected.