For a school project I have to create a distributed system from a standalone application. We're using RMI for the communication, but we ran into some problems.
The server I created starts just fine, but the client (which uses some swing libraries etc.) was giving me a classNotFound exception. To fix this I added the libraries my project uses to "C:\Program Files\Java\jre6\lib\ext". I prefer to place to libs at the client (like I did with the builds).
Can someone tell me if this is possible and ifso, how?
The problems don't end here, if I start my client now I get an java.security.AccessControlException. I use a policy file, it looks like this:
grant
{ permission java.net.SocketPermission
"*:1024-65535", "connect,accept";
};
I also tried to add all the libs but this didn't help either:
grant codebase "file:${java.home}/../lib/ext/appframework-1.0.3.jar" {
permission java.security.AllPermission;
};
grant codebase "file:${java.home}/../lib/ext/beansbinding-1.2.1.jar" {
permission java.security.AllPermission;
};
grant codebase "file:${java.home}/../lib/ext/jcalendar-1.3.3.jar" {
permission java.security.AllPermission;
};
grant codebase "file:${java.home}/../lib/ext/looks-2.0.1.jar" {
permission java.security.AllPermission;
};
grant codebase "file:${java.home}/../lib/ext/swing-worker-1.1.jar" {
permission java.security.AllPermission;
};
grant codebase "file:${java.home}/../lib/ext/swingx-1.6.1.jar" {
permission java.security.AllPermission;
};
grant codebase "file:${java.home}/../lib/ext/swingx-bean.jar" {
permission java.security.AllPermission;
};
grant codebase "file:${java.home}/../lib/ext/swingx-ws-2011_01_16.jar" {
permission java.security.AllPermission;
};
grant
{ permission java.net.SocketPermission
"*:1024-65535", "connect,accept";
};
I hope that anyone can help me.
-Rob
Debugging java 2 security exceptions is a tedious trial and error process. I guess you are starting the client with a JVM switch to add tell it to use a security manager - add the following
-Djava.security.debug=access,failure
You'll get masses of debug information, but searcing it for "access denied" will show you what permissions need to be granted against which code base. It's not a scientific process - you just have to keep trying until you think you've fixed all the security problems.
grant {
permission java.security.AllPermission;
};
Related
I'm trying to enforce a security policy, giving Java classes signed by a certain signer certain permissions. My security policy file looks as following:
// ========== SYSTEM CODE PERMISSIONS =========================================
grant codeBase "file:${java.home}/conf/*" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/*" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/lib/ext/*" {
permission java.security.AllPermission;
};
// ========== CLASS PERMISSIONS =========================================
keystore "file:/C:/Program Files/Java/openjdk-12/lib/security/cacerts";
keystorePasswordURL "file:/C:/Shared/Team/java-jar-signed/keystore.password";
grant signedBy "mycompany" {
permission java.security.AllPermission;
permission java.io.FilePermission "C:\\*", "read,write,execute";
permission java.io.FilePermission "C:\\", "read,write,execute";
};
The Keystore cacerts contains a certificate with the alias mycompany. The JAR file im testing the security policy with has been signed with the private key of that certificate. When I execute the JAR file with
java -Djava.security.manager -Djava.security.policy=rules.policy -Djava.security.debug=access -cp ReadC-signed.jar ReadC
I get
access: access denied ("java.io.FilePermission" "C:\" "read")
When I use codeBase "path/to/jar" instead of signedBy "mycompany" it works perfectly fine. Does anybody know what could be going wrong here?
I am investigating java security manager. I see that 'grant' is required attribute for *.policy file and it is global. But how it will behave in case if I add 'grant codeBase' for the same resoure. For example:
grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/log4j-1.2.17.jar!/-" {
permission java.io.FilePermission "${catalina.base}/logs/-", "delete";
};
grant {
permission java.io.FilePermission "${catalina.base}/logs/-", "write";
};
Will log4j-1.2.17.jar has a permission to delete files in the log folder?
Can 'grant codeBase' override 'grant' section?
Thank you!
I want to implement a security policy file in the following way :-
Restrict access to all files except for files in 3 directories, i.e. if code accesses files from these 3 directories, it should be allowed but file access for any other directory is restricted.
Grant all other permissions to the code base.
How can I proceed for creating policy file for this requirement.
You need to create next policy file (yourPolicy.policy):
grant codeBase "file:/location_of_your_code/-" {
permission java.io.FilePermission "/tmp/f1/*", "read, write";
permission java.io.FilePermission "/tmp/f2/*", "read, write";
permission java.io.FilePermission "/tmp/f3/*", "read, write";
};
And launch your code with next arguments:
java -Djava.security.manager -Djava.security.policy=yourPolicy.policy YourClassName
It will restrict access of your java program to only these three folders.
About requirement “grant all other permissions” it seems that you can’t grant all permissions and override some specific permissions (grant access to only three folders) using java policy syntax. Thus you need explicitly specify all permissions that you want to grant to your application.
I have the following policy file:
grant codeBase "file:./Cookie.jar",
Principal javax.security.auth.kerberos.KerberosPrincipal
"MyUsr#domain.com"
Principal javax.security.auth.kerberos.KerberosPrincipal
"OtherUsr#domain.com" {
permission java.util.PropertyPermission "java.vm.*", "read,write";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "user.home", "read";
permission java.io.FilePermission "foo.txt", "read";
};
grant {
permission java.util.PropertyPermission "*","read,write";
permission javax.security.auth.AuthPermission "createLoginContext.Cookie";
permission java.security."*";
};
Whenever I execute: java -jar Cookie.jar my program works as intended and I have no problem loading log4j.
However, when I execute the following to enable the security manager (using the above policy file):
java -Djava.security.manager -Djava.security.policy==java.policy -jar Cookie.jar -Djava.security.auth.login.config=auth.conf
I end up getting this ERROR:
StatusLogger Log4j2 could not find a logging implementation. Please add lo
g4j-core to the classpath. Using SimpleLogger to log to the console...
This is the same error I would get if I didn't have log4j on the classpath, however, log4j is on the classpath.
I have determined for certain that the issue is caused by the security manager. I can only assume that I need to add a certain permission to my policy file in order for the Log4j2 library to load properly, but I can't figure out what permission I need to add.
Could someone please tell me what I'm missing here, and explain why this is happening? Thanks!
EDIT: Dang, I fixed this somehow, but don't remember exactly how. I'll update here if I remember.
grant {
permission java.security.AllPermission;
};
This works.
grant file:///- {
permission java.security.AllPermission;
};
This does not work. Could someone please explain to me why?
The syntax should be:
grant codeBase "file:///-" {
...
};
See the docs. Note the semicolon.
Be very careful assigning permissions to code.
Are you sure the codebase should be a file URL (normal for development, not for production...).
The directive "grant { permission }" means grant the permission to all code no matter where it came from. In other words, when there is no codebase specified, the code could be loaded from the network or the file system.
The second directive (if it worked) would only apply to the local file system. It would be specifying all files (recursively) on the local file system. I'm not sure that "file:///" is a valid URL by itself. I know that file:///tmp/- works.