Security Policy Configuration
When running the product on a system where you do not control the input (XML files, CSS), you must take some steps to ensure that the transformation process does not access files outside the allowed locations, and does not connect to other hosts. Follow this procedure:
- Create a Java policy file. A sample Java policy file can be found in config/chemistry.policy. You can use this as it is or as a starting point to grant or revoke permissions. Follow the instructions from this file.
-
Specify the Java policy file location (in URL or file path syntax) using the
-security-policy
command-line parameter:chemistry.bat -security-policy file:/some/path/to/chemistry.policy
-
By default, the font cache file is stored in the home directory, while the temporary
files are stored in the system temp folder. It is recommended to specify a workspace
directory where these files are to be stored. The sample policy file automatically sets
read and write permissions on this folder.
chemistry.bat \ -security-policy file:/some/path/to/chemistry.policy \ -security-workspace /path/to/dir
-
If your CSS files, images, fonts, or other resources are stored in a different
folder than the one that contains the input file, you need to indicate those
folders.
chemistry.bat ... -security-resources-dir1 /path/to/resources \ -security-resources-dir2 /other/path/to/resources
-
If you access resources, from another server, you have to give access to connections to
it (note that Google fonts servers are already added to the policy file).
chemistry.bat ... -security-resources-host my.font.and.css.server:80