I'm trying to prohibit the call to System.exit(int); in some jars.
These jars will be developed by external teams and loaded by our "container" application .
My first reflex is to use the java security manager:
-Djava.security.manager-Djava.security.debug=all
with the simplest ${user.home}/.java.policy file :
grant {};
Although I can no longer call such as System.getProperties () (since I do not have java.util.PropertyPermission), I can do a System.exit (0) !!
The option java.security.debug=all gives the following console:
scl: getPerms ProtectionDomain (file: my-bin-path <no sign certificates>)
sun.misc.Launcher $ AppClassLoader # 10385c1
<no principals>
java.security.Permissions # 15b7986 (
(java.lang.RuntimePermission exitVM)
(java.io.FilePermission \my-bin-path\- read)
)
Why do all classes in my-bin-path have java.lang.RuntimePermission exitVM granted ?????
thanks
According to the bug report, http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4286238, the policy file wasn't dis-allowing System.exit() calls. I'm running an application with Java 1.6 and am still seeing this bug despite it being "resolved." Similar to the OP, I have a system wide policy file which does not include a permission for exitVM. However, I am able to exit the application without any exception being thrown.
My understanding of including a custom policy file is that all permissions are blacklisted except those included in the policy file. Since exitVM is not included it should be disallowed (overriding the default permission mentioned by MicSim). But this is not the case.
From the Javadoc of RuntimePermission:
Note: The "exitVM.*" permission is automatically granted to all code loaded from the application class path, thus enabling applications to terminate themselves.
Reading this, it seems you have to explicitly deny this permission by writing your own SecurityManager. (For an example, see this answer: Prevent System.exit to actually exit the JVM)
Alternatively you could do AOP and intercept System.exit. Doing that yourself would be: create your own class loader and use BPEL to trace System.exit, and patch those calls. Really not a large effort.
Related
In redhat-openjdk:1.8.0, jvm java.policy and custom.policy file's java.version is being effective on the activeprocess
I've configured the java process to use java security manager and it uses Apache server to run the process. So Apache client look for "java.version" read permission in default and/or custom policy file.
I've included ready property permission, yet i'm getting weird AccessControlException.
Exception i'm seeing is:
java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.version" "read")
I've right permissions in place Property permission entry in jvm/secruity/java.policy
permission java.util.PropertyPermission "java.version", "read";
and in custom.policy ( -Djava.security.manager -Djava.security.policy=custom.policy), file path fully-qualified, i just shortened for better understanding):
permission java.util.PropertyPermission "java.version", "read";
Expectation is to run java process with out issues, but that's not happening.
Edit 1:
I've also tried enforcing all permission using below line:
grant{
permission java.security.AllPermission;
};
But seems like it is still not working. I've also tried using '==' while setting up policy file, which mean
`If you use
java -Djava.security.manager -Djava.security.policy==someURL SomeApp
(note the double equals) then just the specified policy file will be used; all the ones indicated in the security properties file will be ignored.`
As per jdk 8 doc
Any help is much appreciated.
Looks to me that the policy is not in effect. In case you have multiple JDK releases installed, are you sure that you've modified the default policy for the same release that you are running with? I'd start by granting AllPermissions just to make sure that the policy is in effect, and then focus on the permission line itself.
When starting for example Elasticsearch 5.5 :
main ERROR Could not register mbeans java.security.AccessControlException: access denied ("javax.management.MBeanTrustPermission" "register")
Workaround with Oracle Java 1.8.0_131 is to open file <jre>/lib/security/java.policy and add this line to grant section (i.e. between curly brackets):
permission javax.management.MBeanTrustPermission "register";
Why workaround? The upright solution would be to specify extra grant section which code exactly should get this permission.
got the same error and the answer is here java.security.AccessControlException when using Ant, but runs ok when invoking java from console
Append the grant section in java.policy file with
permission javax.management.MBeanTrustPermission "register";
I had this same issue when moving from a single instance to two instances locally.
I tried what Alice suggested above. Even re-installed Elasticsearch (5.5.0).
I also updated my Java to the latest one for Linux provided by Oracle.
Nothing was working. Then I discovered, that I couldn't just take the elasticsearch-5.5.0/config directory and rename it to elasticsearch-5.5.0/node1.
So... I had to leave that config directory in place and clone it to node1/node2.
EVEN if I configure path.config in the runtime args, ES still needs that base line config directory.
Hope this helps.
I faced same issue on Ubuntu-16.04 system.
Solution:
ElasticSeearch service is not allowed to run for "ROOT" user. That's why change the ownership of elasticsearch folder with below command:
go to Elasticseach installation directory
$ sudo chown -R user_name:user_Group elasticsearch-5.5.0
$/bin/elasticsearch
this will start elasticsearch service. It is working form me perfectly.
Hey stackoverflow community!
I'm writing a small program. In this program code, written in a Web-Interface, is compiled and run.
Now I want the written code from the web-interface to have just a few permissions, like reading a file in a specific directory, while my own code has all permissions.
I just looked up the SecurityManager and found a way to carry this out by using the codeBase attribute of the Policy-File. My idea was to give my code all permissions so the written code has no permissions.
grant codeBase "file:/PATH/-" {
permission java.security.AllPermission;
};
grant {
};
PATH points to the root directory of my program (with bin/src as subfolder).
It works until i'm invoking javax.tools.JavaCompiler.CompilationTask.call() to compile the given code, although the file has the required permissions:
An exception has occurred in the compiler (1.8.0_05). Please file a bug at the Java Developer Connection (Report a Bug or Request a Feature) after checking the Bug Parade for duplicates. Include your program and the following diagnostic in your report. Thank you.
java.security.AccessControlException: access denied ("java.util.PropertyPermission" "nonBatchMode" "read")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:457)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
at java.lang.System.getProperty(System.java:714)
at com.sun.tools.javac.main.Main.compile(Main.java:445)
at com.sun.tools.javac.api.JavacTaskImpl.doCall(JavacTaskImpl.java:129)
at com.sun.tools.javac.api.JavacTaskImpl.call(JavacTaskImpl.java:138)
.
.
.
I don't want to create a .java- and a .class-file for every typed code. For this reasen I used a ClassLoader with the following URI:
URI.create( "string:///" + className + Kind.CLASS.extension )
Trying to avoid the use of the "signedBy"-attriutes is important because it's difficult to sign .jar-files in Eclipse.
These are my questions:
1) Does anyone have an idea why the compiler throws an AccessControlException, although all needed rights are allowed?
2) Does anyone have an idea how to modify the SecurityManager this way?
3) Is it possible to seperate the included code from my own code at all?
4) Is the SecurityManager the right solution to my problem at all?
Thanks for reading and answering!
We are facing an issue during the deployment of an application into the CCIX Dev environment(App id is cet).
We are using Spring framework 3.1.0 as the MVC framework in our application. When we deploy the application, Spring starts initializing its own container. One of the steps during this process is to read all the environment variables. Spring achieves this by invoking a method System.getenv() which will return all the environment variables and the corresponding values in the system. During this step, a security exception is thrown as given below
[8/30/13 1:20:13:965 EDT] 00000014 SecurityManag W SECJ0314W: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Please refer to InfoCenter for further information.
Permission:
getenv.* : Access denied (java.lang.RuntimePermission getenv.*)
Code:
org.springframework.core.env.AbstractEnvironment in {file:/opt/httpd/root/apps/cet/ibm/ccix-dev-ear/caseesc.war/WEB-INF/lib/spring-core-3.2.1.RELEASE.jar}
Stack Trace:
java.security.AccessControlException: Access denied (java.lang.RuntimePermission getenv.*)
We tried to debug this by adding the line below line in was.policy file.
permission java.lang.RuntimePermission "getenv.*";
This is failing as the system does not allow the permission declaration with a wild character(*).
Also tried adding the below lines in application context file,but still no luck.
Please assist.
Try adding into WebSphere's JRE java.policy file e.g. /opt/IBM/WebSphere/AppServer/java/jre/lib/security/java.policy
I'm running a set of tests on my custom JCE provider implemention (XYZProvider).
Most of my tests are failing with the following error:-
java.lang.SecurityException: JCE cannot authenticate the provider XYZProvider
I have installed (i.e. placed provider's jar file) outside of system JRE (I need to stick to this, can't install in JRE) and maybe this is the reason I'm getting this error.
I have tried to search on this error without much success, tried using
grant codeBase "//location of my provider class files" { permission java.security.AllPermission; } in java.security file to give the necessary permission but with no luck.
Have already added the following line in java.security
security.provider.9=com.ingrian.security.nae.XYZProvider
Any ideas?
Thanks.