I try to append security properties to java.security.
Hence I add a property "java.security.properties" specifying the file to be appended.
I checked that security.overridePropertiesFile is set to true.
For some reason the changes to the security policy are not applied.
If I change the file "java.security" directly everything works fine.
Either the file cannot be found or the content of the file is not correct.
I do not get any error message about the location. I tried absolute, relativ paths.
The content of the file is the following (one line):
jdk.tls.disabledAlgorithms=ECDH, DH, RC4, DES, MD5withRSA, 3DES_EDE_CBC, DESede, DES, anon, NULL
I guess there is something wrong with the path but don't know since there are no logs about it.
Couln't find good information about the path though. All examples are relativ paths which do not work either for me.
I am using JDK11.
Try running your application with -Djava.security.debug=properties on the command line. If there is an issue loading the file, you should get a message such as "unable to load security properties from <filename>" with an exception stack trace.
Also, you should set the java.security.properties system property on the command line if possible. If not, it should be set as early as possible in your code; otherwise depending on what the application does, it may read and cache the values of security properties from the java.security file before it loads your properties file.
Related
As shown in the figure above; Every time you operate git command, some warning messages will appear.
I found some answers on the Internet;
For example, the following:
Only valid for git GUI; When I close the GIT GUI and reopen it, the warning message still exists;
I tried another way:I modified a configuration file in the GIT installation directory
I added a line of code: unset GIT_ TRACE_ PACKET GIT_ TRACE.
In this way, there will be no warning message through git GUI operation; However, when I operate through the console of idea, the warning message still exists and cannot be eliminated; May I ask you guys how to solve this problem?
This has nothing at all to do with java.
You get this message because you have GIT_TRACE set in your environment, to a value that Git does not understand. Your scripts as written cannot change your shell's setting. See environment-variables, and, e.g., Best way to set environment variables in calling shell and Can a shell script set environment variables of the calling shell?.
To unset GIT_TRACE in your current shell, run unset GIT_TRACE. To set it to a different variable, run export GIT_TRACE=value. The set of valid value-s includes 0 (off—this has the same effect as un-setting the variable), 1 and 2 (on and trace goes to stderr), higher numeric values (trace goes to an already-open file descriptor), and path names starting with /.
Any new shells you create may get GIT_TRACE set based on dot-files (e.g., .bashrc) or other startup items you have chosen. To change this, find your startup items and modify them. If your GUI creates a new shell every time you ask it to do anything, you will have to use this method.
My app connects to Kafka topic and everything goes well in local environment when truststore and keystore are stored under classpath, but when I try to switch to Dockerized external environment and point to those files localized on a server, then the app crashes.
Snippet in a local environment where it works:
spring.kafka.ssl.trust-store-location=file:src/main/resources/keys/application.truststore.jks
spring.kafka.ssl.key-store-location=file:src/main/resources/keys/application.keystore.jks
Snippet of application.properties on a server side when the app is launched inside a docker container and does not work. Both keys are stored in /deployment/keys folder inside the container:
spring.kafka.ssl.trust-store-location=/deployment/keys/application.truststore.jks
spring.kafka.ssl.key-store-location=/deployment/keys/application.keystore.jks
The following java exception occurs:
NoSuchFileException: /tmp/tomcat-docbase.45456574985379.8080/deployment/keys/application.keystore.jks
So for an unknown reason Spring Boot inside Docker container adds the /tmp/tomcat-docbase.45456574985379.8080/ prefix to the keystore and truststore location.
I have also tried:
spring.kafka.ssl.trust-store-location=file:/deployment/keys/application.truststore.jks
spring.kafka.ssl.key-store-location=file:/deployment/keys/application.keystore.jks
and
spring.kafka.ssl.trust-store-location=file:///deployment/keys/application.truststore.jks
spring.kafka.ssl.key-store-location=file:///deployment/keys/application.keystore.jks
but none of them seem to work. I would not like to change the code but what comes to my mind is to create a Properties object and create strings with those paths. Then inject them to the KafkaTemplate as a bean. However, I have not yet checked if this could help. Would rather focus just on adjusting application.properties file than correct the code. Could you please help me find the solution?
I am using flyway pro with oracleSqlplus enabled. I created a folder structure to organize scripts based on objects. Trying to use # (with path) in the flyway version scripts, which is not working.
folder structure,
topFolder
-folderA
-AScript.sql
-folderB
-BScript.sql
-folderCommon
-AScript.sql
-V1__ASCRIPT.sql
-V2__BSCRIPT.sql
-V3__ASCRIPT.sql
Content of:
V1__ASCRIPT.sql
#AScript.sql -> Which correctly executes topFolder/folderA/Ascript.sql
V2__BScript.sql
#BScript.sql -> Which correctly executes topFolder/folderB/Bscript.sql
V3__ASCRIPT.sql
#topFolder/folderCommon/AScript.sql -> Which is throwing me below error,
org.flywaydb.core.api.FlywayException: SP2-0310: unable to open file "topFolder/folderCommon/AScript.sql"
I tried almost all possible combinations,
with absolute path,
with "#../../topFolder/folderCommon/AScript.sql"
tried setting SQLPATH varible
with ##
which didnt work.
Just giving the file name alone in #, works. But I want to specify the path, so that file names can be re-used and it is less error prone.
I expect the relative path should work with flyway + oraclesqlplus option.
Thanks in advance.
looks like you start the path from the point where fly flyway.locations=filesystem: ends is where your path begins.
Example:
flyway.locations=filesystem:/opt/app/sql
where you scripts are /opt/app/sql/appadb/script.sql
inside masterscript would be
##appadb/script.sql
I'm getting a different result for Files.exists(path) to path.toFile().exists() for a local file on Windows. I can see this file in Windows Explorer although I have (randomly) modified permissions and perhaps the permissions do not make sense.
However this doesn't explain why the old method returns true and the new methods returns false. The file definently exists but maybe it is invisible to the user running the Java code, so I'm not sure what the correct answer should be. Nor can I see how to see which user is running the code, there is only one real user Paul on the computer, but I'm wondering if whether if run as administrator or not effects things.
System.out.println("Path Exists(1):"+Files.exists(path));
System.out.println("Path Exist(2) :"+path.toFile().exists());
gives
Path Exists(1):false
Path Exist(2) :true
Also
System.out.println("Path readable(3) :"+Files.isReadable(path));
System.out.println("Path readable(4):"+path.toFile().canRead());
works in same way giving
Path readable(3) :false
Path readable(4):true
Permissions output
File C:\Code\jthink\opensrc\jaudiotagger\testdata\test157.dsf permissions
owner:PCLAPTOP\Paul
NT AUTHORITY\SYSTEM:READ_DATA/WRITE_DATA/APPEND_DATA/READ_NAMED_ATTRS/WRITE_NAMED_ATTRS/EXECUTE/DELETE_CHILD/READ_ATTRIBUTES/WRITE_ATTRIBUTES/DELETE/READ_ACL/WRITE_ACL/WRITE_OWNER/SYNCHRONIZE:DENY
BUILTIN\Administrators:READ_DATA/WRITE_DATA/APPEND_DATA/READ_NAMED_ATTRS/WRITE_NAMED_ATTRS/EXECUTE/DELETE_CHILD/READ_ATTRIBUTES/WRITE_ATTRIBUTES/DELETE/READ_ACL/WRITE_ACL/WRITE_OWNER/SYNCHRONIZE:DENY
BUILTIN\Administrators:READ_DATA/WRITE_DATA/APPEND_DATA/READ_NAMED_ATTRS/WRITE_NAMED_ATTRS/EXECUTE/DELETE_CHILD/READ_ATTRIBUTES/WRITE_ATTRIBUTES/DELETE/READ_ACL/WRITE_ACL/WRITE_OWNER/SYNCHRONIZE:ALLOW
NT AUTHORITY\SYSTEM:READ_DATA/WRITE_DATA/APPEND_DATA/READ_NAMED_ATTRS/WRITE_NAMED_ATTRS/EXECUTE/DELETE_CHILD/READ_ATTRIBUTES/WRITE_ATTRIBUTES/DELETE/READ_ACL/WRITE_ACL/WRITE_OWNER/SYNCHRONIZE:ALLOW
BUILTIN\Users:READ_DATA/READ_NAMED_ATTRS/EXECUTE/READ_ATTRIBUTES/READ_ACL/SYNCHRONIZE:ALLOW
NT AUTHORITY\Authenticated Users:READ_DATA/WRITE_DATA/APPEND_DATA/READ_NAMED_ATTRS/WRITE_NAMED_ATTRS/EXECUTE/READ_ATTRIBUTES/WRITE_ATTRIBUTES/DELETE/READ_ACL/SYNCHRONIZE:ALLOW
c:\Code\jthink\opensrc\jaudiotagger>attrib C:\Code\jthink\opensrc\jaudiotagger\testdata\test157.dsf
A R C:\Code\jthink\opensrc\jaudiotagger\testdata\test157.dsf
Update
I dont have a conclusion but thought this information could be useful.
I was running code in IntelliJ IDE without the IDE Run program as Administrator option enabled, enabling this did then cause the Java application to also get the administrator privileges.
Interesting for another file I didn't add any DENY privileges, I just disabled inherit permissions and remove READ permissions from all groups. Then when I ran as user without run as admin enabled it could not read the file and also this code could not any output any information
AclFileAttributeView view = Files.getFileAttributeView(path, AclFileAttributeView.class);
if (view != null)
{
sb.append("Owner:"+view.getOwner().getName()+"**");
for (AclEntry acl : view.getAcl())
{
sb.append(acl.principal()+"**");
for(AclEntryPermission aep:acl.permissions())
{
sb.append(aep.toString() + "**");
}
}
}
but when I run with Run program as adminstrator enabled it still couldnt read the file, but the above code did now output some of the permissions as follows:
Owner:BUILTIN\Administrators
NT AUTHORITY\SYSTEM:WRITE_DATA/APPEND_DATA/WRITE_NAMED_ATTRS/WRITE_ATTRIBUTES/SYNCHRONIZE:ALLOW
PCLAPTOP\Paul:WRITE_DATA/APPEND_DATA/WRITE_NAMED_ATTRS/WRITE_ATTRIBUTES/SYNCHRONIZE:ALLOW
BUILTIN\Administrators:WRITE_DATA/APPEND_DATA/WRITE_NAMED_ATTRS/WRITE_ATTRIBUTES/SYNCHRONIZE:ALLOW
as you can see even though Administrators do not have READ or READ PERMISSIONS options they can output the permissions whereas before they couldn't, perhaps due to BUILTIN/Administraor being returned as owner.
Try reading this:
https://docs.oracle.com/javase/tutorial/essential/io/check.html
It states that, Files.exists(path) returning false does not mean that it does not exist, so yeah it would seem there is a permission problem. Try the Files.notExists(path) as well and see what it returns. If it is false it means that it can not be determined whether the file exists, but if it returns true, there is probably some problem in your code.
Try running your file from the command line instead of netbeans. If you don't know how to do this you can just search google, there is tons of stuff on this, but basically what you want to do is to compile the .java file with javac myfile.java and then run it with java myfile. Do this with a normal command prompt and one you open as administrator and see what you get.
Theses are two different methods: Files.exists() and path.toFile().exists().
Files.exists() defines that file denoted by this abstract pathname exists. In other words that file exists and user has READ access to it.
path.toFile().exists() indicates the file exists then there is no guarantee that a subsequence access will succeed. In other words file exist without checking that user has READ access to it.
It really depends on user which runs the program. When you work under your ID (Paul) it works fine. Especially in command line where you gan you ATTRIB command.
However, when you use some other application to run your code it depends on the system configuration. Run this ATTRIB or similar command inside your application and you will see.
I think you run some web site under IIS. This way is usually configured for lowest level user in the system with almost no rights to prevent security breaks. Usually it is everyone or NT AUTHORITY. As I can see this particular access has no rights to read your file
NT AUTHORITY\SYSTEM:READ_DATA/...:DENY
Naturally you have 2 different answers - FALSE: user which ID is used by running application cannot read this file, TRUE: file physically exist.
Change running ID for your application or grant READ access to everyone for this particular file including all directories in its path and you will have the same result in this two methods which check different meanings.
I have a system wherein .NET clients authenticate against a Java server with Kerberos. Everything works, but I'm trying to improve the server configuration. Currently a keytab file is required in the root of C:\ because my jaas.conf looks like this:
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
isInitiator=false
keyTab="///C:/keytab"
principal="XXX";
};
I am trying to make the keyTab property a relative path, but am having no luck. What I've tried:
keyTab="///keytab"
keyTab="///./keytab"
keyTab="classpath:keytab"
All of these result in an exception, so clearly the keytab file cannot be found.
I've searched and read the docs and banged my head on a wall over this. Can anyone reveal the magical incantation I need to make this happen?
Please use keyTab="keytab"
Similar to the example:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/lab/part1.html
I tried as well putting the keytab in the same folder as the jaas.conf file (in the conf folder). Doing keytab="keytab" would not work. Fortunately, it uses the same configuration variables used elsewhere, so the solution was to set:
keyTab="${catalina.base}/conf/keytab"