I have created a .jar file which contains my classes together with classes which I have extracted from multiple Apache Tomcat jars. Then I have signed the jar and created a JNLP file with <security><all-permissions/>.
But when running my application, WebStart denies access to classes from my jar:
java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.deploy)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393)
at java.security.AccessController.checkPermission(AccessController.java:553)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1529)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:291)
at java.lang.ClassLoader.loadClass(ClassLoader.java:266)
at net.sourceforge.jnlp.runtime.JNLPClassLoader.loadClass(JNLPClassLoader.java:1018)
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Class.java:2444)
at java.lang.Class.getMethod0(Class.java:2687)
at java.lang.Class.getMethod(Class.java:1620)
at org.apache.catalina.startup.SetPublicIdRule.begin(WebRuleSet.java:639)
at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1276)
... 33 more
Is this a bug in WebStart or why do I get this security exception?
Try clearing the security manager by calling:
System.setSecurityManager(null);
I have used this from a Java Web Start application to gain complete control but the application needs to be signed and have the
<security>
<all-permissions/>
</security>
as you stated correctly.
Related
Does anyone know how to modify catalina.policy to eliminate this AccessControlException:
Feb 25, 2016 2:31:14 PM org.apache.tomee.catalina.ServerListener install
**SEVERE: TomEE Listener can't start OpenEJB**
java.security.AccessControlException: access denied (**"java.util.PropertyPermission" "tomee.skip-tomcat-log" "read"**)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
at java.lang.System.getProperty(System.java:717)
at java.lang.Boolean.getBoolean(Boolean.java:254)
at org.apache.tomee.TomEELogConfigurer.configureLogs(TomEELogConfigurer.java:30)
at org.apache.tomee.catalina.ServerListener.install(ServerListener.java:170)
at org.apache.tomee.catalina.ServerListener.lifecycleEvent(ServerListener.java:55)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
All I did was click on Enable Security in Eclipse and then restarted the server. Tomcat doesn't even have to load a web app to error out.
Tomcat is launched from within Eclipse with the option:
-Dwtp.configured.security=true
For the record:
Server: Apache Tomcat (TomEE)/7.0.62 (1.7.2)
Eclipse: Eclipse Java EE IDE Version: Mars.1 Release (4.5.1)
Java: jdk 1.8.0_73
Driving me crazy...
I had the same issue and I think, there are two ways which I have discovered as a possible solution, only the first tried:
especially for development purposes is useful to enable everything in catalina.policy, so put following code to the end of the file, then the error disappeared to me:
grant {
permission java.security.AllPermission;
};
I looked into the source code where can be found the given permission and found there is following checking of the given property:
if (!Boolean.getBoolean("tomee.skip-tomcat-log")) {
// do some log initialisation ...
}
so, if you set the environment property "tomee.skip-tomcat-log" to "true" for the Tomcat, the property could be read and initialisation should not happen so the exception possibly could not be thrown...
This is a bug in TomEE catalina.policy regarding tomcat-juli.
Currently TomEE 8.0.9 and TomEE 9.0.0-M7 are affected.
Add the following two lines to your catalina.policy:
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
...
permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read";
permission java.lang.RuntimePermission "accessDeclaredMembers";
...
};
See:
https://issues.apache.org/jira/browse/TOMEE-3840
https://issues.apache.org/jira/browse/TOMEE-3843
Feel free to create a bug ticket at TomEE project.
I am trying to access an api on a server. I am using jersey with java 1.6.
I have two environment with the same java version 1.6.
On the first everything works perfectly!
On the second (where I need to deploy the application) I have an error:
Exception in thread "main" java.security.AccessControlException: Access denied (
java.security.AllPermission <all permissions> <all actions>)
at java.security.AccessController.checkPermission(AccessController.java:
108)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:533)
at java.net.URLClassLoader$9.run(URLClassLoader.java:924)
at java.security.AccessController.doPrivileged(AccessController.java:224
)
at java.net.URLClassLoader.getPermissions(URLClassLoader.java:922)
at java.security.SecureClassLoader.getPD(SecureClassLoader.java:101)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:69
)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:529)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:440)
at java.net.URLClassLoader.access$300(URLClassLoader.java:68)
at java.net.URLClassLoader$ClassFinder.run(URLClassLoader.java:1027)
at java.security.AccessController.doPrivileged(AccessController.java:284
)
at java.net.URLClassLoader.findClass(URLClassLoader.java:418)
at java.lang.ClassLoader.loadClass(ClassLoader.java:660)
at java.lang.ClassLoader.loadClass(ClassLoader.java:626)
at java.lang.Class.forNameImpl(Native Method)
at java.lang.Class.forName(Class.java:172)
at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoa
der.java:56)
Has anyone encountered this problem before or might know how to resolve it?
I am running my Java-FX application via webstart by tomcat server.
After signing and versioning of jars I having this problem when am accessing it through web browser.
I am using jnlp and version protocol to start the application through tomcat server.
ExitException[ 3]com.sun.deploy.net.FailedDownloadException: Unable to load resource:
(httP://127.0.0.1:8080/gyms/lib/commons-collections-3.2.1.jar?version-id=1.0.1, 1.0.1)
at sun.plugin2.applet.JNLP2Manager.downloadResources(Unknown Source)
at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source)
at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
It seems you are using a jnlp-file with a line like this:
<jar href="commons-collections-3.2.1.jar" version="1.0.1" />
So you are using the version-based download protocol. This will result in the server looking for a file called commons-collections-3.2.1__V1.0.1.jar which apparently is not there.
Bottom line: do not specify two conflicting version-numbers in your jnlp. Decide wether you want to use versioned download and omit the version-number in the href-attribute or use simple download and omit the version-attribute.
Problem is solved because I am using Java 1.7.51 update and also i am usin third api which is not supported in java 8 which is also installed in my desktop.
The program(x86) should not have any version of java greater than java 7 as the application is taking java/bin from x86 only.
that is why that failed download exception is coming at run time.
i have an applet, in eclipse everything works right, but, when i export the jar, and embed to my website(which i have to embed every jackson jar too), im getting this error:
com.fasterxml.jackson.databind.JsonMappingException: Can not access public ticket.Ticket() (from class ticket.Ticket; failed to set access: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCache2(DeserializerCache.java:272)
at com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCacheValueDeserializer(DeserializerCache.java:247)
at com.fasterxml.jackson.databind.deser.DeserializerCache.findValueDeserializer(DeserializerCache.java:146)
at com.fasterxml.jackson.databind.DeserializationContext.findRootValueDeserializer(DeserializationContext.java:322)
at com.fasterxml.jackson.databind.ObjectMapper._findRootDeserializer(ObjectMapper.java:2990)
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:2884)
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2034)
at ticket.Main.init(Main.java:56)
at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.init(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.IllegalArgumentException: Can not access public ticket.Ticket() (from class ticket.Ticket; failed to set access: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at com.fasterxml.jackson.databind.util.ClassUtil.checkAndFixAccess(ClassUtil.java:510)
at com.fasterxml.jackson.databind.deser.impl.CreatorCollector._fixAccess(CreatorCollector.java:203)
at com.fasterxml.jackson.databind.deser.impl.CreatorCollector.setDefaultConstructor(CreatorCollector.java:106)
at com.fasterxml.jackson.databind.deser.impl.CreatorCollector.setDefaultCreator(CreatorCollector.java:123)
at com.fasterxml.jackson.databind.deser.BasicDeserializerFactory._addDeserializerConstructors(BasicDeserializerFactory.java:369)
at com.fasterxml.jackson.databind.deser.BasicDeserializerFactory._constructDefaultValueInstantiator(BasicDeserializerFactory.java:315)
at com.fasterxml.jackson.databind.deser.BasicDeserializerFactory.findValueInstantiator(BasicDeserializerFactory.java:259)
at com.fasterxml.jackson.databind.deser.BeanDeserializerFactory.buildBeanDeserializer(BeanDeserializerFactory.java:263)
at com.fasterxml.jackson.databind.deser.BeanDeserializerFactory.createBeanDeserializer(BeanDeserializerFactory.java:168)
at com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer2(DeserializerCache.java:401)
at com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer(DeserializerCache.java:354)
at com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCache2(DeserializerCache.java:267)
... 10 more
What can i do in this case?
An applet that attempts reflection would need to be digitally signed by the developer, and trusted by the user when prompted.
In addition to signing, you should be able to avoid this problem by disabling MapperFeature.CAN_OVERRIDE_ACCESS_MODIFIERS, (see javadoc). This prevents specific call that is failing for you; for non-applet use case this is important for access and performance reasons; but it requires that security manager allows it.
I am having some issues with Tomcat 6 on Ubuntu Karmic. It doesn't start the app failing with various errors.
The first on is:
Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission spring.security.strategy read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:342)
at java.security.AccessController.checkPermission(AccessController.java:553)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1302)
at java.lang.System.getProperty(System.java:669)
at org.springframework.security.core.context.SecurityContextHolder.<clinit>(SecurityContextHolder.java:53)
... 54 more
This is weird, because the very same app runs on Tomcat 6 on Lucid very well. The policy configuration file is the same, I checked. When I add the permission to the conf/policy.d/04webapps.policy file:
permission java.util.PropertyPermission "spring.security.strategy", "read";
it then fails with NoClassDefFoundError:
Caused by: java.lang.NoClassDefFoundError: Could not initialize class net.sf.cglib.proxy.Enhancer
Though cglib is in the lib directory of the war
Please help, I can't find any clue on the reason of this.
Ok, I got it now. By default, in Lucid tomcat runs without a security manager. By default in Karmic security manager is enabled. If it is enabled, you need to fine-tune it for your application needs.