db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Db-derby Wiki] Update of "SecurityPolicyTips" by BryanPendleton
Date Sat, 01 Feb 2014 16:30:31 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Db-derby Wiki" for change notification.

The "SecurityPolicyTips" page has been changed by BryanPendleton:

Summarize some tips from a recent mailing list discussion.

New page:
If you run Derby on a relatively recent copy of Java, or on certain platforms, you may need
to specify a server policy file.

Information about the Derby security policy is available in the Derby documentation, specifically
in the Administration Guide at [[https://db.apache.org/derby/docs/10.10/adminguide/tadminnetservbasic.html|Basic
Network Server security policy]] and at [[https://db.apache.org/derby/docs/10.10/adminguide/tadminnetservcustom.html|Customizing
the Network Server's security policy]].

Many portions of the Derby security policy must be edited to specify file: scheme URLs, which
can be tricky do to on operating systems like Windows.

When editing the file, replace {{{ ${derby.install.url} }}} with the full path name for the
Derby jar files in the four sections that start with “grant codebase”.  The syntax is
a little tricky.  For example, assume that derby has been installed in C:\Java\db-derby-
 You use a “file:” specification, but you need to use forward slashes, not back slashes.
 Also, the file specification can contain zero, one, or three forward slashes, but not two.

The slashes in a file URL are explained in [[http://en.wikipedia.org/wiki/File_URI_scheme#Meaning_of_slash_character|this
Wikipedia entry]]:

Things to notice:
 * If host is omitted, it is taken to be "localhost", the machine from which the URL is being
interpreted. Note that when omitting host you do not omit the slash ({{{ "file:///foo.txt"
}}} is okay, while {{{ "file://foo.txt" }}} is not, although some interpreters manage to handle
the latter).
 * The double slash // should always appear in a file URL according to the specification,
but in practice many Web browsers allow you to omit it
 * The URI as understood by the Windows Shell API is e.g. {{{ "file:///c:/WINDOWS/clock.avi"

So, three slashes is OK: it means the host is omitted (default).

Zero and one slash would indicate that the "//host" part is omitted, cf the lenience allowed
mentioned above.

Just a double slash followed by the file path (e.g. //C:/....), would be wrong, since "C:"
is not a host name.

Thus, any of the following will work

 *    {{{ grant codeBase "file:///C:/Java/db-derby-" }}}
 *    {{{ grant codeBase "file:C:/Java/db-derby-" }}}
 *    {{{ grant codeBase "file:/C:/Java/db-derby-" }}}

but not

 *    {{{ grant codeBase "file://C:/Java/db-derby-" }}}
This is an important point since [[http://db.apache.org/derby/docs/10.10/devguide/cdevcsecure871387.html|the
sample files in the Derby Developer's Guide]] seem to imply that two slashes are acceptable.
While the file specifications appear to work with zero, one, or three slashes, based on the
Wikipedia link above and  [[http://blogs.msdn.com/b/ie/archive/2006/12/06/file-uris-in-windows.aspx|this
MSDN link]], it appears that three slashes is the “proper” form for files on the localhost,which,
I suspect, is the most common case.

If you use two slashes in you file specification, you will get an error message similar to
the following:

     {{{ Thu Jan 30 09:09:33 EST 2014 : access denied ("java.util.PropertyPermission" "derby.__serverStartedFromCmdLine"
"write") }}}

You also need to replace {{{ “${derby.security.port}” }}} with the appropriate port number
(e.g., 1527).   Alternatively, you can define  {{{ “${derby.security.port}” }}} in your
call to start the Derby network server, as in {{{ “-Dderby.security.port=1527” }}}.  

Other policy file parameters can be handled similarly, but these are the most important ones,
and these changes are the minimum needed to get the Derby network server started.

Once your security policy has been edited, specify it when starting Derby by adding

    {{{ -Dderby.security.port=1527 -Djava.security.manager -Djava.security.policy=%DERBY_HOME%\server.policy

to the {{{ start java }}} command.

View raw message