When running the product on a system where you do not control the input (XML files, CSS), you
must take some steps to ensure that the transformation process does not access files outside
the allowed locations, and does not connect to other hosts. Follow this procedure:
-
Create a Java policy file. A sample Java policy file can be found in
config/chemistry.policy. You can use this as it is or
as a starting point to grant or revoke permissions. Follow the instructions from
this file.
-
Specify the Java policy file location (in URL or file path syntax) using the
-security-policy command-line parameter:
chemistry.bat -security-policy file:/some/path/to/chemistry.policy
-
By default, the font cache file is stored in the home directory, while the temporary
files are stored in the system temp folder. It is recommended to specify a workspace
directory where these files are to be stored. The sample policy file automatically sets
read and write permissions on this folder.
chemistry.bat \
-security-policy file:/some/path/to/chemistry.policy \
-security-workspace /path/to/dir
-
If your CSS files, images, fonts, or other resources are stored in a different
folder than the one that contains the input file, you need to indicate those
folders.
chemistry.bat ... -security-resources-dir1 /path/to/resources \
-security-resources-dir2 /other/path/to/resources
-
If you access resources, from another server, you have to give access to connections to
it (note that Google fonts servers are already added to the policy file).
chemistry.bat ... -security-resources-host my.font.and.css.server:80
