In redhat-openjdk:1.8.0, jvm java.policy and custom.policy file's java.version is being effective on the activeprocess
I've configured the java process to use java security manager and it uses Apache server to run the process. So Apache client look for "java.version" read permission in default and/or custom policy file.
I've included ready property permission, yet i'm getting weird AccessControlException.
Exception i'm seeing is:
java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.version" "read")
I've right permissions in place Property permission entry in jvm/secruity/java.policy
permission java.util.PropertyPermission "java.version", "read";
and in custom.policy ( -Djava.security.manager -Djava.security.policy=custom.policy), file path fully-qualified, i just shortened for better understanding):
permission java.util.PropertyPermission "java.version", "read";
Expectation is to run java process with out issues, but that's not happening.
Edit 1:
I've also tried enforcing all permission using below line:
grant{
permission java.security.AllPermission;
};
But seems like it is still not working. I've also tried using '==' while setting up policy file, which mean
`If you use
java -Djava.security.manager -Djava.security.policy==someURL SomeApp
(note the double equals) then just the specified policy file will be used; all the ones indicated in the security properties file will be ignored.`
As per jdk 8 doc
Any help is much appreciated.
Looks to me that the policy is not in effect. In case you have multiple JDK releases installed, are you sure that you've modified the default policy for the same release that you are running with? I'd start by granting AllPermissions just to make sure that the policy is in effect, and then focus on the permission line itself.
Related
I have the following policy file:
grant codeBase "file:./Cookie.jar",
Principal javax.security.auth.kerberos.KerberosPrincipal
"MyUsr#domain.com"
Principal javax.security.auth.kerberos.KerberosPrincipal
"OtherUsr#domain.com" {
permission java.util.PropertyPermission "java.vm.*", "read,write";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "user.home", "read";
permission java.io.FilePermission "foo.txt", "read";
};
grant {
permission java.util.PropertyPermission "*","read,write";
permission javax.security.auth.AuthPermission "createLoginContext.Cookie";
permission java.security."*";
};
Whenever I execute: java -jar Cookie.jar my program works as intended and I have no problem loading log4j.
However, when I execute the following to enable the security manager (using the above policy file):
java -Djava.security.manager -Djava.security.policy==java.policy -jar Cookie.jar -Djava.security.auth.login.config=auth.conf
I end up getting this ERROR:
StatusLogger Log4j2 could not find a logging implementation. Please add lo
g4j-core to the classpath. Using SimpleLogger to log to the console...
This is the same error I would get if I didn't have log4j on the classpath, however, log4j is on the classpath.
I have determined for certain that the issue is caused by the security manager. I can only assume that I need to add a certain permission to my policy file in order for the Log4j2 library to load properly, but I can't figure out what permission I need to add.
Could someone please tell me what I'm missing here, and explain why this is happening? Thanks!
EDIT: Dang, I fixed this somehow, but don't remember exactly how. I'll update here if I remember.
I'm attempting to deploy a WAR to Tomcat and running into problems with the Java Security Manager. This is Tomcat 7.0.55 running Java 1.8.0, and Tomcat is started with parameters like this:
-Dcatalina.base="/path/to/apache-tomcat-7.0.55"
-Dcatalina.home="/path/to/apache-tomcat-7.0.55"
-Djava.endorsed.dirs="/path/to/apache-tomcat-7.0.55\endorsed"
-Djava.security.manager
-Djava.security.policy="/path/to/config/custom_catalina.policy"
The important thing here is that it's enabling the Java Security Manager and then pointing it at a custom security policy, which looks like this:
grant {
permission java.security.AllPermission;
};
It seems like this should result in the rather pointless configuration of activating the security manager and then telling it to just allow everything (I don't run the server so don't blame me!). However, when I deploy my WAR it fails with several stack traces containing things like:
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.version" "read")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:457) ~[?:1.8.0_51]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_51]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_51]
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294) ~[?:1.8.0_51]
at java.lang.System.getProperty(System.java:753) ~[?:1.8.0_51]
at org.apache.commons.lang3.JavaVersion.maxVersion(JavaVersion.java:196) ~[commons-lang3-3.4.jar:3.4]
I've tried explicitly granting AllPermission to my own application with something like:
grant codeBase "file:${catalina.home}/webapps/myApp/-" {
permission java.security.AllPermission;
};
and even explicitly granting the PropertyPermission to read java.version. None of it makes any difference. The same AccessControlExceptions still get thrown and prevent deployment.
What is going on here? How can I troubleshoot this?
Ours was not coming during deployment, rather while heavy load testing.
We changed the Connector in server.xml from Nio2 to Nio and it solved problem for us
org.apache.coyote.http11.Http11NioProtocol (The first version of NIO, instead of NIO2).
We didn't disable tomcat security manager, that is against our firm's policy.
I'm learning to use Security Manager, and I'm getting this error when I run my unit tests:
Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\Users\[username]\AppData\Local\NetBeans\Cache\7.4\executor-snippets\junitvmwatcher1469887727677239882.properties" "write")
It's simple enough grant permission to that directory. The problem is I run this code on different computers. Ideally, I'd like to do something like this:
permission java.io.FilePermission "*/NetBeans/Cache/7.4/-", "write";
But apparently SecurityManager doesn't recognize wildcard characters at the beginning of the path. I've tried using both an asterisk and a dash. Neither works.
Basically, I'd like to get my tests to run without needing to hard-code an absolute path. Is there another way to achieve this?
You can use property expansion in policy files:
For example, permission java.io.FilePermission "${user.home}", "read";
will expand "${user.home}" to use the value of the "user.home" system property.
Could you set:
permission java.io.FilePermission "${user.home}/AppData/Local/NetBeans/-", "write";
to get what you wanted?
I'm dealing with a badly-behaved library (JRuby) which tries to read the entire universe and then fails to deal with the SecurityException as well, thus fails to start up at all.
Caused by: org.jruby.exceptions.RaiseException: (LoadError) library `java' could not be loaded: java.security.AccessControlException: access denied ("java.io.FilePermission" "/Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/lib/ant-javafx.jar" "read")
I don't mind JRuby (or any other library, for that matter) reading the entire universe, though, so I am trying to figure out how to add this to the grants. This jar file turns out to be on the java.class.path, but I can't figure out the rule to grant the permission.
Taking examples from other policy files I have seen in the past, I have been trying things like this:
grant {
permission java.io.FilePermission "${{java.class.path}}", "read, execute";
permission java.io.FilePermission "${{java.class.path}}/-", "read, execute";
};
But it makes no difference whatsoever, so I suspect this ${{...}} syntax only works for the codeBase.
Is there a way to do it for file permissions as well?
I am very new to Java, just completed a Java fundamentals coarse. already found a lot of answers and help on the diffenrent forums on the web.
I have designed an Applet with sql db access. Running it on NetBeans IDE 7.2.1, it works 100%, but as soon as i run it with a .html file with the NetBeans view command, I get the following error.
äccess denied "java.lang.RuntimePermission" "accessClassInpackage.sun.jdbc.odbc"
I have already added the following lines to the java policy file in the jre directory.
permission java.lang.RuntimePermission "accessClassInPackage.sun.jdbc.odbc", "read";
permission java.lang.RuntimePermission "accessClassInPackage.sun.jdbc.odbc", "write";
permission java.util.PropertyPermission "file.encoding", "read";
permission java.util.PropertyPermission "file.encoding", "write";
what am i doing wrong, or what is required to run the applet in the browser?
I don't think that applets can open JDBC connections from sandbox. You probably have to sign your applet something like this
http://www.qoppa.com/faq/signapplet.htm