I tried to execute the server in my NetBeans 7.3.1 java project, but I got this:
Sun Mar 26 15:48:04 EEST 2017 : DRDA_SecurityInstalled.I
Sun Mar 26 15:48:04 EEST 2017 : access denied ("java.net.SocketPermission" "localhost:1527" "listen,resolve")
java.security.AccessControlException: access denied ("java.net.SocketPermission" "localhost:1527" "listen,resolve")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkListen(SecurityManager.java:1131)
at java.net.ServerSocket.bind(ServerSocket.java:374)
at java.net.ServerSocket.<init>(ServerSocket.java:237)
at javax.net.DefaultServerSocketFactory.createServerSocket(ServerSocketFactory.java:231)
at org.apache.derby.impl.drda.NetworkServerControlImpl.createServerSocket(Unknown Source)
at org.apache.derby.impl.drda.NetworkServerControlImpl.access$000(Unknown Source)
at org.apache.derby.impl.drda.NetworkServerControlImpl$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.derby.impl.drda.NetworkServerControlImpl.blockingStart(Unknown Source)
at org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unknown Source)
at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)
I've been looking for the solution and I found one - change the permissons in java.policy file. Well, I did it:
// Standard extensions get all permissions by default
grant codeBase "file:${{java.home}}/*" { permission java.security.AllPermission;
};
// default permissions granted to all domains
grant {
// Allows any thread to stop itself using the java.lang.Thread.stop()
// method that takes no argument.
// Note that this permission is granted by default only to remain
// backwards compatible.
// It is strongly recommended that you either remove this permission
// from this policy file or further restrict it to code sources
// that you specify, because Thread.stop() is potentially unsafe.
// See the API specification of java.lang.Thread.stop() for more
// information.
permission java.lang.RuntimePermission "stopThread";
// allows anyone to listen on dynamic ports
permission java.net.SocketPermission "localhost:0", "listen";
// "standard" properies that can be read by anyone
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
permission java.net.SocketPermission "localhost:1527", "listen";// here I added this string that should resolve this problem
};
After those steps I've tried to push the server, but still thame exception is throwed. Maybe I'm doing something wrong?
Found few things that might help.
Use :
permission java.net.SocketPermission "localhost:1527", "listen";
instead of :
permission java.net.SocketPermission "localhost:0", "listen";
Make sure you are modifying the correct policy files in-case of multiple JREs present on your system.To verify this use :
System.out.println(System.getProperty(“java.home”));
Then make changes to :
{Above path}\lib\security\java.policy
Related
I have an app that uses RMI and works when I have the security policy set to
//
// Allow everything for now
//
permission java.security.AllPermission;
But, when I try to lock it down with the policy below, I get this exception - which makes me think something about the classpath is off and I need to add something about classpath in the policy, but I don't know what.
Also - any idea why I have to set the socket permissions all the different ways (loopback, name, base ip)?
Caused by: java.lang.NoClassDefFoundError: Could not initialize class org.apache.logging.log4j.util.PropertiesUtil
at org.apache.logging.log4j.status.StatusLogger.<clinit>(StatusLogger.java:78)
at org.apache.logging.log4j.LogManager.<clinit>(LogManager.java:61)
grant codeBase "file:/C:/apps/abc/xyz/*" {
//
// Allow everything for now
//permission java.security.AllPermission;
permission java.net.SocketPermission "127.0.0.1:*", "accept,connect,resolve";
permission java.net.SocketPermission "localhost:6990", "listen,accept,connect,resolve";
permission java.net.SocketPermission "localhost:6993", "listen,accept,connect,resolve";
permission java.net.SocketPermission "XPS7590.abc.local", "resolve";
permission java.net.SocketPermission "192.168.1.125:6993", "listen,accept,connect,resolve";
permission java.util.PropertyPermission "user.dir", "read";
permission java.util.PropertyPermission "LicenseFilename", "read";
permission java.util.PropertyPermission "HostId", "read";
permission java.io.FilePermission ".", "read";
permission java.io.FilePermission "C:/Apps/abc/xyz/-", "read";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "createClassLoader";
//permission java.lang.RuntimePermission "setContextClassLoader";
};
This fix for this was to add the following line to my policy file.
permission java.lang.RuntimePermission "getClassLoader";
I've a little java code that writes a string to a file. I've created a .java.policy file in my home directory in ubuntu with the following contents:
/* AUTOMATICALLY GENERATED ON Mon Jun 24 11:27:02 IST 2019*/
/* DO NOT EDIT */
grant codeBase "" {
permission java.io.FilePermission "<<ALL FILES>>", "read";
};
grant codeBase "file:/home/ScienceGuy/Desktop/Testing/javasecurity/*" {
permission java.io.FilePermission "<<ALL FILES>>", "read";
};
When I run my java code, it simply creates the file and writes the string. I expect it to fail because the policy gives it read only access to files. How can I make the policy file work?
I tried to edit the java.security file and check the url.2 line to make sure it points to the policy file. Doesn't help.
I have the following policy file:
grant codeBase "file:./Cookie.jar",
Principal javax.security.auth.kerberos.KerberosPrincipal
"MyUsr#domain.com"
Principal javax.security.auth.kerberos.KerberosPrincipal
"OtherUsr#domain.com" {
permission java.util.PropertyPermission "java.vm.*", "read,write";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "user.home", "read";
permission java.io.FilePermission "foo.txt", "read";
};
grant {
permission java.util.PropertyPermission "*","read,write";
permission javax.security.auth.AuthPermission "createLoginContext.Cookie";
permission java.security."*";
};
Whenever I execute: java -jar Cookie.jar my program works as intended and I have no problem loading log4j.
However, when I execute the following to enable the security manager (using the above policy file):
java -Djava.security.manager -Djava.security.policy==java.policy -jar Cookie.jar -Djava.security.auth.login.config=auth.conf
I end up getting this ERROR:
StatusLogger Log4j2 could not find a logging implementation. Please add lo
g4j-core to the classpath. Using SimpleLogger to log to the console...
This is the same error I would get if I didn't have log4j on the classpath, however, log4j is on the classpath.
I have determined for certain that the issue is caused by the security manager. I can only assume that I need to add a certain permission to my policy file in order for the Log4j2 library to load properly, but I can't figure out what permission I need to add.
Could someone please tell me what I'm missing here, and explain why this is happening? Thanks!
EDIT: Dang, I fixed this somehow, but don't remember exactly how. I'll update here if I remember.
I am using
windows 7 64 bit (has also program files (x86) ),
jre 7 & jdk1.7.0_25
I got following error while accesing my applet file in the IE8 (8.0.7600.16385)
java.security.accesscontrolexception access denied (java.util.propertypermission user.dir read)
However i can get to my next page/results but i can't passby/handle this exception
The same file works in windows 7 32 bit when i changed jav.policy file with following.
// Standard extensions get all permissions by default
grant codeBase "file:${java.home}/lib/ext/*" {
permission java.util.PropertyPermission "user.dir", "read";
permission java.security.AllPermission;
};
// default permissions granted to all domains
grant codeBase "file:C:/Inetpub/wwwroot/applets/*" {
permission java.util.PropertyPermission "user.dir", "read";
permission java.security.AllPermission;
};
grant codeBase "file:C:/Inetpub/wwwroot/applets/ordered.xslt" {
permission java.util.PropertyPermission "user.dir", "read";
permission java.security.AllPermission;
};
grant codeBase "file:C:/Inetpub/wwwroot/applets/nonOrdered.xslt" {
permission java.util.PropertyPermission "user.dir", "read";
permission java.security.AllPermission;
};
grant codeBase "file:C:/Inetpub/wwwroot/applets/common.xsl" {
permission java.util.PropertyPermission "user.dir", "read";
permission java.security.AllPermission;
};
grant {
permission java.util.PropertyPermission "user.dir", "read";
permission java.security.AllPermission;
};
//grant {
// Allows any thread to stop itself using the java.lang.Thread.stop()
// method that takes no argument.
// Note that this permission is granted by default only to remain
// backwards compatible.
// It is strongly recommended that you either remove this permission
// from this policy file or further restrict it to code sources
// that you specify, because Thread.stop() is potentially unsafe.
// See "http://java.sun.com/notes" for more information.
// permission java.lang.RuntimePermission "stopThread";
// allows anyone to listen on un-privileged ports
// permission java.net.SocketPermission "localhost:1024-", "listen";
// "standard" properies that can be read by anyone
// permission java.util.PropertyPermission "java.version", "read";
// permission java.util.PropertyPermission "java.vendor", "read";
// permission java.util.PropertyPermission "java.vendor.url", "read";
// permission java.util.PropertyPermission "java.class.version", "read";
// permission java.util.PropertyPermission "os.name", "read";
// permission java.util.PropertyPermission "os.version", "read";
// permission java.util.PropertyPermission "os.arch", "read";
// permission java.util.PropertyPermission "file.separator", "read";
// permission java.util.PropertyPermission "path.separator", "read";
// permission java.util.PropertyPermission "line.separator", "read";
// permission java.util.PropertyPermission "java.specification.version", "read";
// permission java.util.PropertyPermission "java.specification.vendor", "read";
// permission java.util.PropertyPermission "java.specification.name", "read";
// permission java.util.PropertyPermission "java.vm.specification.version", "read";
// permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
// permission java.util.PropertyPermission "java.vm.specification.name", "read";
// permission java.util.PropertyPermission "java.vm.version", "read";
// permission java.util.PropertyPermission "java.vm.vendor", "read";
// permission java.util.PropertyPermission "java.vm.name", "read";
// permission java.net.SocketPermission "softag2:1024-65535","connect,accept,resolve,listen";
// permission java.net.SocketPermission "softag2:80", "connect,accept,resolve,listen";
//};
I myself solved it by replacing my java.policy file by following and it worked on several machines, If anyone coming around here may get help
/* AUTOMATICALLY GENERATED ON Tue Dec 10 14:15:46 PKT 2013*/
/* DO NOT EDIT */
grant codeBase "file:/C:/Users/Administrator/Desktop/New%20Folder%20(2)/Java/jre6/lib/ext/*" {
permission java.security.AllPermission;
};
grant codeBase "file:/C:/Windows/Sun/Java/lib/ext/*" {
permission java.security.AllPermission;
};
grant {
permission java.lang.RuntimePermission "stopThread";
permission java.net.SocketPermission "localhost:1024-", "listen";
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
permission java.security.AllPermission;
};
Our Java policy file used to just be:
grant {
permission java.security.AllPermission;
};
I am trying to make our application more secure than just granting everything to everyone. I have it working well except I am having troubles giving permission to files.
The error I currently get is:
java.security.AccessControlException: access denied (java.io.FilePermission \\server.log write)
I have tried so many combinations of things, such as:
permission java.io.FilePermission "\\\\server.log", "write";
permission java.io.FilePermission "C:\\Temp\\logs\\server.log", "write";
permission java.io.FilePermission "\\server.log", "write";
permission java.io.FilePermission "${TEMP}${/}-", "write";
permission java.io.FilePermission "*", "read,write";
The only thing I can get it to work is using:
grant {
permission java.security.AllPermission;
};
I get the error "java.io.FileNotFoundException: \server.log (The filename, directory name, or volume label syntax is incorrect)" when using (even when the files do exist):
permission java.io.FilePermission "<<ALL FILES>>", "write";
Just wondering if anyone had any other ideas to try. I don't really want to have to resort to granting all just to get the file permissions right, obviously I am missing something.
EDIT:
I just realized that maybe this is a clue in the log file:
log4j:ERROR setFile(null,false) call failed.
Maybe I need some permissions for this specifically? Digging around Google now....
In Oracle documentation have some examples:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/spec/security-spec.doc3.html
permission java.io.FilePermission "myfile", "read,write";
permission java.io.FilePermission "/home/gong/", "read";
permission java.io.FilePermission "/tmp/mytmp", "read,delete";
permission java.io.FilePermission "/bin/*", "execute";
permission java.io.FilePermission "*", "read";
permission java.io.FilePermission "/-", "read,execute";
permission java.io.FilePermission "-", "read,execute";
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "c:\\temp\\foo", "read,write,delete")
\\this one works for me
I think the problem is because you are trying to write to a file without permission to read it.
permission java.io.FilePermission "C:\\folder\\*", "read, write";