We have a WAR application deployed on Tomcat 7.0.65. This application uses a library that has a bunch of polygon.txt files in it's resource directory. Whenever the library is invoked it throws a file permission exception on the jar file in the exploded war directory.
here is the error:
Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/var/lib/tomcat7/webapps/**/WEB-INF/lib/table-service-1.37.jar" "read")
at org.apache.catalina.loader.WebappClassLoaderBase.getResourceAsStream(WebappClassLoaderBase.java:1659) ~[catalina-7.0.65.jar:7.0.65]
at com.**.PropertyGeometryDAO.initialize(PropertyGeometryDAO.java:47) ~[table-service-1.37.jar:?]
Thrown at this line in the code:
try (InputStream stream = getClass().getClassLoader().getResourceAsStream(fileName))
Here is the catalina.policy file defining the permissions:
permission java.io.FilePermission "/usr/share/tomcat7/webapps/*", "read";
We also have separate WAR's deployed on the same Tomcat using the same library that are working just fine.
The exception is for
"/var/lib/tomcat7/webapps/**/WEB-INF/lib/table-service-1.37.jar"
but your permission is for
permission java.io.FilePermission "/usr/share/tomcat7/webapps/*", "read";
Related
In redhat-openjdk:1.8.0, jvm java.policy and custom.policy file's java.version is being effective on the activeprocess
I've configured the java process to use java security manager and it uses Apache server to run the process. So Apache client look for "java.version" read permission in default and/or custom policy file.
I've included ready property permission, yet i'm getting weird AccessControlException.
Exception i'm seeing is:
java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.version" "read")
I've right permissions in place Property permission entry in jvm/secruity/java.policy
permission java.util.PropertyPermission "java.version", "read";
and in custom.policy ( -Djava.security.manager -Djava.security.policy=custom.policy), file path fully-qualified, i just shortened for better understanding):
permission java.util.PropertyPermission "java.version", "read";
Expectation is to run java process with out issues, but that's not happening.
Edit 1:
I've also tried enforcing all permission using below line:
grant{
permission java.security.AllPermission;
};
But seems like it is still not working. I've also tried using '==' while setting up policy file, which mean
`If you use
java -Djava.security.manager -Djava.security.policy==someURL SomeApp
(note the double equals) then just the specified policy file will be used; all the ones indicated in the security properties file will be ignored.`
As per jdk 8 doc
Any help is much appreciated.
Looks to me that the policy is not in effect. In case you have multiple JDK releases installed, are you sure that you've modified the default policy for the same release that you are running with? I'd start by granting AllPermissions just to make sure that the policy is in effect, and then focus on the permission line itself.
I get an error
IOException:access denied ("java.io.FilePermission"
"D:\certainfilelocation" "read")
When accessing a file while using OpenJDK10 instead of JRE.
I also added in the java.policy this line
jdk-10.0.2\conf\security
permission java.io.FilePermission "<< ALL FILES >>","read";
But I still get the same error.
Is there any way? Thanks
I'm learning to use Security Manager, and I'm getting this error when I run my unit tests:
Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\Users\[username]\AppData\Local\NetBeans\Cache\7.4\executor-snippets\junitvmwatcher1469887727677239882.properties" "write")
It's simple enough grant permission to that directory. The problem is I run this code on different computers. Ideally, I'd like to do something like this:
permission java.io.FilePermission "*/NetBeans/Cache/7.4/-", "write";
But apparently SecurityManager doesn't recognize wildcard characters at the beginning of the path. I've tried using both an asterisk and a dash. Neither works.
Basically, I'd like to get my tests to run without needing to hard-code an absolute path. Is there another way to achieve this?
You can use property expansion in policy files:
For example, permission java.io.FilePermission "${user.home}", "read";
will expand "${user.home}" to use the value of the "user.home" system property.
Could you set:
permission java.io.FilePermission "${user.home}/AppData/Local/NetBeans/-", "write";
to get what you wanted?
I'm dealing with a badly-behaved library (JRuby) which tries to read the entire universe and then fails to deal with the SecurityException as well, thus fails to start up at all.
Caused by: org.jruby.exceptions.RaiseException: (LoadError) library `java' could not be loaded: java.security.AccessControlException: access denied ("java.io.FilePermission" "/Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/lib/ant-javafx.jar" "read")
I don't mind JRuby (or any other library, for that matter) reading the entire universe, though, so I am trying to figure out how to add this to the grants. This jar file turns out to be on the java.class.path, but I can't figure out the rule to grant the permission.
Taking examples from other policy files I have seen in the past, I have been trying things like this:
grant {
permission java.io.FilePermission "${{java.class.path}}", "read, execute";
permission java.io.FilePermission "${{java.class.path}}/-", "read, execute";
};
But it makes no difference whatsoever, so I suspect this ${{...}} syntax only works for the codeBase.
Is there a way to do it for file permissions as well?
final File parentDir = new File("S:\\PDSPopulatingProgram");
parentDir.mkdir();
final String hash = "popupateData";
final String fileName = hash + ".txt";
final File file = new File(parentDir, fileName);
file.createNewFile(); // Creates file PDSPopulatingProgram/popupateData.txt
I am trying to create a file in a folder but I am getting exception as
java.security.AccessControlException: Access denied
I am working in windows environment. I can create a folder from the Windows Explorer, but not from the Java Code.
How can I resolve this issue?
Within your <jre location>\lib\security\java.policy try adding:
grant {
permission java.security.AllPermission;
};
And see if it allows you. If so, you will have to add more granular permissions.
See:
Java 8 Documentation for java.policy files
and
http://java.sun.com/developer/onlineTraining/Programming/JDCBook/appA.html
Although it is not recommended, but if you really want to let your web application access a folder outside its deployment directory. You need to add following permission in java.policy file (path is as in the reply of Petey B)
permission java.io.FilePermission "your folder path", "write"
In your case it would be
permission java.io.FilePermission "S:/PDSPopulatingProgram/-", "write"
Here /- means any files or sub-folders inside this folder.
Warning: But by doing this, you are inviting some security risk.
Just document it here
on Windows you need to escape the \ character:
"e:\\directory\\-"