I'm attempting to deploy a WAR to Tomcat and running into problems with the Java Security Manager. This is Tomcat 7.0.55 running Java 1.8.0, and Tomcat is started with parameters like this:
-Dcatalina.base="/path/to/apache-tomcat-7.0.55"
-Dcatalina.home="/path/to/apache-tomcat-7.0.55"
-Djava.endorsed.dirs="/path/to/apache-tomcat-7.0.55\endorsed"
-Djava.security.manager
-Djava.security.policy="/path/to/config/custom_catalina.policy"
The important thing here is that it's enabling the Java Security Manager and then pointing it at a custom security policy, which looks like this:
grant {
permission java.security.AllPermission;
};
It seems like this should result in the rather pointless configuration of activating the security manager and then telling it to just allow everything (I don't run the server so don't blame me!). However, when I deploy my WAR it fails with several stack traces containing things like:
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.version" "read")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:457) ~[?:1.8.0_51]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_51]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_51]
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294) ~[?:1.8.0_51]
at java.lang.System.getProperty(System.java:753) ~[?:1.8.0_51]
at org.apache.commons.lang3.JavaVersion.maxVersion(JavaVersion.java:196) ~[commons-lang3-3.4.jar:3.4]
I've tried explicitly granting AllPermission to my own application with something like:
grant codeBase "file:${catalina.home}/webapps/myApp/-" {
permission java.security.AllPermission;
};
and even explicitly granting the PropertyPermission to read java.version. None of it makes any difference. The same AccessControlExceptions still get thrown and prevent deployment.
What is going on here? How can I troubleshoot this?
Ours was not coming during deployment, rather while heavy load testing.
We changed the Connector in server.xml from Nio2 to Nio and it solved problem for us
org.apache.coyote.http11.Http11NioProtocol (The first version of NIO, instead of NIO2).
We didn't disable tomcat security manager, that is against our firm's policy.
Related
In redhat-openjdk:1.8.0, jvm java.policy and custom.policy file's java.version is being effective on the activeprocess
I've configured the java process to use java security manager and it uses Apache server to run the process. So Apache client look for "java.version" read permission in default and/or custom policy file.
I've included ready property permission, yet i'm getting weird AccessControlException.
Exception i'm seeing is:
java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.version" "read")
I've right permissions in place Property permission entry in jvm/secruity/java.policy
permission java.util.PropertyPermission "java.version", "read";
and in custom.policy ( -Djava.security.manager -Djava.security.policy=custom.policy), file path fully-qualified, i just shortened for better understanding):
permission java.util.PropertyPermission "java.version", "read";
Expectation is to run java process with out issues, but that's not happening.
Edit 1:
I've also tried enforcing all permission using below line:
grant{
permission java.security.AllPermission;
};
But seems like it is still not working. I've also tried using '==' while setting up policy file, which mean
`If you use
java -Djava.security.manager -Djava.security.policy==someURL SomeApp
(note the double equals) then just the specified policy file will be used; all the ones indicated in the security properties file will be ignored.`
As per jdk 8 doc
Any help is much appreciated.
Looks to me that the policy is not in effect. In case you have multiple JDK releases installed, are you sure that you've modified the default policy for the same release that you are running with? I'd start by granting AllPermissions just to make sure that the policy is in effect, and then focus on the permission line itself.
When starting for example Elasticsearch 5.5 :
main ERROR Could not register mbeans java.security.AccessControlException: access denied ("javax.management.MBeanTrustPermission" "register")
Workaround with Oracle Java 1.8.0_131 is to open file <jre>/lib/security/java.policy and add this line to grant section (i.e. between curly brackets):
permission javax.management.MBeanTrustPermission "register";
Why workaround? The upright solution would be to specify extra grant section which code exactly should get this permission.
got the same error and the answer is here java.security.AccessControlException when using Ant, but runs ok when invoking java from console
Append the grant section in java.policy file with
permission javax.management.MBeanTrustPermission "register";
I had this same issue when moving from a single instance to two instances locally.
I tried what Alice suggested above. Even re-installed Elasticsearch (5.5.0).
I also updated my Java to the latest one for Linux provided by Oracle.
Nothing was working. Then I discovered, that I couldn't just take the elasticsearch-5.5.0/config directory and rename it to elasticsearch-5.5.0/node1.
So... I had to leave that config directory in place and clone it to node1/node2.
EVEN if I configure path.config in the runtime args, ES still needs that base line config directory.
Hope this helps.
I faced same issue on Ubuntu-16.04 system.
Solution:
ElasticSeearch service is not allowed to run for "ROOT" user. That's why change the ownership of elasticsearch folder with below command:
go to Elasticseach installation directory
$ sudo chown -R user_name:user_Group elasticsearch-5.5.0
$/bin/elasticsearch
this will start elasticsearch service. It is working form me perfectly.
I'm running a java applet embedded into a Grails application on my local. The applet should connect to the Google Maps API, but it gives me access denied.
Exception in thread "AWT-EventQueue-11" java.security.AccessControlException: access denied ("java.net.SocketPermission" "maps.googleapis.com:80" "connect,resolve")
When running the .java file in the applet viewer, the connection is fine, however when the applet is running on the tomcat server, I get access denied.
I've tried every solution I could find - granting permissions, signing the .jar file, creating and crossdomain.xml file and so on. Nothing works.
I'm running java version "1.8.0_40" on ubuntu.
You have to put the your applet inside of a jar and sign it using jarsigner
I'm dealing with a badly-behaved library (JRuby) which tries to read the entire universe and then fails to deal with the SecurityException as well, thus fails to start up at all.
Caused by: org.jruby.exceptions.RaiseException: (LoadError) library `java' could not be loaded: java.security.AccessControlException: access denied ("java.io.FilePermission" "/Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/lib/ant-javafx.jar" "read")
I don't mind JRuby (or any other library, for that matter) reading the entire universe, though, so I am trying to figure out how to add this to the grants. This jar file turns out to be on the java.class.path, but I can't figure out the rule to grant the permission.
Taking examples from other policy files I have seen in the past, I have been trying things like this:
grant {
permission java.io.FilePermission "${{java.class.path}}", "read, execute";
permission java.io.FilePermission "${{java.class.path}}/-", "read, execute";
};
But it makes no difference whatsoever, so I suspect this ${{...}} syntax only works for the codeBase.
Is there a way to do it for file permissions as well?
We are facing an issue during the deployment of an application into the CCIX Dev environment(App id is cet).
We are using Spring framework 3.1.0 as the MVC framework in our application. When we deploy the application, Spring starts initializing its own container. One of the steps during this process is to read all the environment variables. Spring achieves this by invoking a method System.getenv() which will return all the environment variables and the corresponding values in the system. During this step, a security exception is thrown as given below
[8/30/13 1:20:13:965 EDT] 00000014 SecurityManag W SECJ0314W: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Please refer to InfoCenter for further information.
Permission:
getenv.* : Access denied (java.lang.RuntimePermission getenv.*)
Code:
org.springframework.core.env.AbstractEnvironment in {file:/opt/httpd/root/apps/cet/ibm/ccix-dev-ear/caseesc.war/WEB-INF/lib/spring-core-3.2.1.RELEASE.jar}
Stack Trace:
java.security.AccessControlException: Access denied (java.lang.RuntimePermission getenv.*)
We tried to debug this by adding the line below line in was.policy file.
permission java.lang.RuntimePermission "getenv.*";
This is failing as the system does not allow the permission declaration with a wild character(*).
Also tried adding the below lines in application context file,but still no luck.
Please assist.
Try adding into WebSphere's JRE java.policy file e.g. /opt/IBM/WebSphere/AppServer/java/jre/lib/security/java.policy