I have an app that uses RMI and works when I have the security policy set to
//
// Allow everything for now
//
permission java.security.AllPermission;
But, when I try to lock it down with the policy below, I get this exception - which makes me think something about the classpath is off and I need to add something about classpath in the policy, but I don't know what.
Also - any idea why I have to set the socket permissions all the different ways (loopback, name, base ip)?
Caused by: java.lang.NoClassDefFoundError: Could not initialize class org.apache.logging.log4j.util.PropertiesUtil
at org.apache.logging.log4j.status.StatusLogger.<clinit>(StatusLogger.java:78)
at org.apache.logging.log4j.LogManager.<clinit>(LogManager.java:61)
grant codeBase "file:/C:/apps/abc/xyz/*" {
//
// Allow everything for now
//permission java.security.AllPermission;
permission java.net.SocketPermission "127.0.0.1:*", "accept,connect,resolve";
permission java.net.SocketPermission "localhost:6990", "listen,accept,connect,resolve";
permission java.net.SocketPermission "localhost:6993", "listen,accept,connect,resolve";
permission java.net.SocketPermission "XPS7590.abc.local", "resolve";
permission java.net.SocketPermission "192.168.1.125:6993", "listen,accept,connect,resolve";
permission java.util.PropertyPermission "user.dir", "read";
permission java.util.PropertyPermission "LicenseFilename", "read";
permission java.util.PropertyPermission "HostId", "read";
permission java.io.FilePermission ".", "read";
permission java.io.FilePermission "C:/Apps/abc/xyz/-", "read";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "createClassLoader";
//permission java.lang.RuntimePermission "setContextClassLoader";
};
This fix for this was to add the following line to my policy file.
permission java.lang.RuntimePermission "getClassLoader";
Related
I'm trying to enforce a security policy, giving Java classes signed by a certain signer certain permissions. My security policy file looks as following:
// ========== SYSTEM CODE PERMISSIONS =========================================
grant codeBase "file:${java.home}/conf/*" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/*" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/lib/ext/*" {
permission java.security.AllPermission;
};
// ========== CLASS PERMISSIONS =========================================
keystore "file:/C:/Program Files/Java/openjdk-12/lib/security/cacerts";
keystorePasswordURL "file:/C:/Shared/Team/java-jar-signed/keystore.password";
grant signedBy "mycompany" {
permission java.security.AllPermission;
permission java.io.FilePermission "C:\\*", "read,write,execute";
permission java.io.FilePermission "C:\\", "read,write,execute";
};
The Keystore cacerts contains a certificate with the alias mycompany. The JAR file im testing the security policy with has been signed with the private key of that certificate. When I execute the JAR file with
java -Djava.security.manager -Djava.security.policy=rules.policy -Djava.security.debug=access -cp ReadC-signed.jar ReadC
I get
access: access denied ("java.io.FilePermission" "C:\" "read")
When I use codeBase "path/to/jar" instead of signedBy "mycompany" it works perfectly fine. Does anybody know what could be going wrong here?
I am investigating java security manager. I see that 'grant' is required attribute for *.policy file and it is global. But how it will behave in case if I add 'grant codeBase' for the same resoure. For example:
grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/log4j-1.2.17.jar!/-" {
permission java.io.FilePermission "${catalina.base}/logs/-", "delete";
};
grant {
permission java.io.FilePermission "${catalina.base}/logs/-", "write";
};
Will log4j-1.2.17.jar has a permission to delete files in the log folder?
Can 'grant codeBase' override 'grant' section?
Thank you!
I tried to execute the server in my NetBeans 7.3.1 java project, but I got this:
Sun Mar 26 15:48:04 EEST 2017 : DRDA_SecurityInstalled.I
Sun Mar 26 15:48:04 EEST 2017 : access denied ("java.net.SocketPermission" "localhost:1527" "listen,resolve")
java.security.AccessControlException: access denied ("java.net.SocketPermission" "localhost:1527" "listen,resolve")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkListen(SecurityManager.java:1131)
at java.net.ServerSocket.bind(ServerSocket.java:374)
at java.net.ServerSocket.<init>(ServerSocket.java:237)
at javax.net.DefaultServerSocketFactory.createServerSocket(ServerSocketFactory.java:231)
at org.apache.derby.impl.drda.NetworkServerControlImpl.createServerSocket(Unknown Source)
at org.apache.derby.impl.drda.NetworkServerControlImpl.access$000(Unknown Source)
at org.apache.derby.impl.drda.NetworkServerControlImpl$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.derby.impl.drda.NetworkServerControlImpl.blockingStart(Unknown Source)
at org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unknown Source)
at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)
I've been looking for the solution and I found one - change the permissons in java.policy file. Well, I did it:
// Standard extensions get all permissions by default
grant codeBase "file:${{java.home}}/*" { permission java.security.AllPermission;
};
// default permissions granted to all domains
grant {
// Allows any thread to stop itself using the java.lang.Thread.stop()
// method that takes no argument.
// Note that this permission is granted by default only to remain
// backwards compatible.
// It is strongly recommended that you either remove this permission
// from this policy file or further restrict it to code sources
// that you specify, because Thread.stop() is potentially unsafe.
// See the API specification of java.lang.Thread.stop() for more
// information.
permission java.lang.RuntimePermission "stopThread";
// allows anyone to listen on dynamic ports
permission java.net.SocketPermission "localhost:0", "listen";
// "standard" properies that can be read by anyone
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
permission java.net.SocketPermission "localhost:1527", "listen";// here I added this string that should resolve this problem
};
After those steps I've tried to push the server, but still thame exception is throwed. Maybe I'm doing something wrong?
Found few things that might help.
Use :
permission java.net.SocketPermission "localhost:1527", "listen";
instead of :
permission java.net.SocketPermission "localhost:0", "listen";
Make sure you are modifying the correct policy files in-case of multiple JREs present on your system.To verify this use :
System.out.println(System.getProperty(“java.home”));
Then make changes to :
{Above path}\lib\security\java.policy
I am using
windows 7 64 bit (has also program files (x86) ),
jre 7 & jdk1.7.0_25
I got following error while accesing my applet file in the IE8 (8.0.7600.16385)
java.security.accesscontrolexception access denied (java.util.propertypermission user.dir read)
However i can get to my next page/results but i can't passby/handle this exception
The same file works in windows 7 32 bit when i changed jav.policy file with following.
// Standard extensions get all permissions by default
grant codeBase "file:${java.home}/lib/ext/*" {
permission java.util.PropertyPermission "user.dir", "read";
permission java.security.AllPermission;
};
// default permissions granted to all domains
grant codeBase "file:C:/Inetpub/wwwroot/applets/*" {
permission java.util.PropertyPermission "user.dir", "read";
permission java.security.AllPermission;
};
grant codeBase "file:C:/Inetpub/wwwroot/applets/ordered.xslt" {
permission java.util.PropertyPermission "user.dir", "read";
permission java.security.AllPermission;
};
grant codeBase "file:C:/Inetpub/wwwroot/applets/nonOrdered.xslt" {
permission java.util.PropertyPermission "user.dir", "read";
permission java.security.AllPermission;
};
grant codeBase "file:C:/Inetpub/wwwroot/applets/common.xsl" {
permission java.util.PropertyPermission "user.dir", "read";
permission java.security.AllPermission;
};
grant {
permission java.util.PropertyPermission "user.dir", "read";
permission java.security.AllPermission;
};
//grant {
// Allows any thread to stop itself using the java.lang.Thread.stop()
// method that takes no argument.
// Note that this permission is granted by default only to remain
// backwards compatible.
// It is strongly recommended that you either remove this permission
// from this policy file or further restrict it to code sources
// that you specify, because Thread.stop() is potentially unsafe.
// See "http://java.sun.com/notes" for more information.
// permission java.lang.RuntimePermission "stopThread";
// allows anyone to listen on un-privileged ports
// permission java.net.SocketPermission "localhost:1024-", "listen";
// "standard" properies that can be read by anyone
// permission java.util.PropertyPermission "java.version", "read";
// permission java.util.PropertyPermission "java.vendor", "read";
// permission java.util.PropertyPermission "java.vendor.url", "read";
// permission java.util.PropertyPermission "java.class.version", "read";
// permission java.util.PropertyPermission "os.name", "read";
// permission java.util.PropertyPermission "os.version", "read";
// permission java.util.PropertyPermission "os.arch", "read";
// permission java.util.PropertyPermission "file.separator", "read";
// permission java.util.PropertyPermission "path.separator", "read";
// permission java.util.PropertyPermission "line.separator", "read";
// permission java.util.PropertyPermission "java.specification.version", "read";
// permission java.util.PropertyPermission "java.specification.vendor", "read";
// permission java.util.PropertyPermission "java.specification.name", "read";
// permission java.util.PropertyPermission "java.vm.specification.version", "read";
// permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
// permission java.util.PropertyPermission "java.vm.specification.name", "read";
// permission java.util.PropertyPermission "java.vm.version", "read";
// permission java.util.PropertyPermission "java.vm.vendor", "read";
// permission java.util.PropertyPermission "java.vm.name", "read";
// permission java.net.SocketPermission "softag2:1024-65535","connect,accept,resolve,listen";
// permission java.net.SocketPermission "softag2:80", "connect,accept,resolve,listen";
//};
I myself solved it by replacing my java.policy file by following and it worked on several machines, If anyone coming around here may get help
/* AUTOMATICALLY GENERATED ON Tue Dec 10 14:15:46 PKT 2013*/
/* DO NOT EDIT */
grant codeBase "file:/C:/Users/Administrator/Desktop/New%20Folder%20(2)/Java/jre6/lib/ext/*" {
permission java.security.AllPermission;
};
grant codeBase "file:/C:/Windows/Sun/Java/lib/ext/*" {
permission java.security.AllPermission;
};
grant {
permission java.lang.RuntimePermission "stopThread";
permission java.net.SocketPermission "localhost:1024-", "listen";
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
permission java.security.AllPermission;
};
Our Java policy file used to just be:
grant {
permission java.security.AllPermission;
};
I am trying to make our application more secure than just granting everything to everyone. I have it working well except I am having troubles giving permission to files.
The error I currently get is:
java.security.AccessControlException: access denied (java.io.FilePermission \\server.log write)
I have tried so many combinations of things, such as:
permission java.io.FilePermission "\\\\server.log", "write";
permission java.io.FilePermission "C:\\Temp\\logs\\server.log", "write";
permission java.io.FilePermission "\\server.log", "write";
permission java.io.FilePermission "${TEMP}${/}-", "write";
permission java.io.FilePermission "*", "read,write";
The only thing I can get it to work is using:
grant {
permission java.security.AllPermission;
};
I get the error "java.io.FileNotFoundException: \server.log (The filename, directory name, or volume label syntax is incorrect)" when using (even when the files do exist):
permission java.io.FilePermission "<<ALL FILES>>", "write";
Just wondering if anyone had any other ideas to try. I don't really want to have to resort to granting all just to get the file permissions right, obviously I am missing something.
EDIT:
I just realized that maybe this is a clue in the log file:
log4j:ERROR setFile(null,false) call failed.
Maybe I need some permissions for this specifically? Digging around Google now....
In Oracle documentation have some examples:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/spec/security-spec.doc3.html
permission java.io.FilePermission "myfile", "read,write";
permission java.io.FilePermission "/home/gong/", "read";
permission java.io.FilePermission "/tmp/mytmp", "read,delete";
permission java.io.FilePermission "/bin/*", "execute";
permission java.io.FilePermission "*", "read";
permission java.io.FilePermission "/-", "read,execute";
permission java.io.FilePermission "-", "read,execute";
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "c:\\temp\\foo", "read,write,delete")
\\this one works for me
I think the problem is because you are trying to write to a file without permission to read it.
permission java.io.FilePermission "C:\\folder\\*", "read, write";