db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Hillegas <rick.hille...@oracle.com>
Subject Re: Hellow, I have some problem in customize security policy with derby (modified)
Date Wed, 30 Jul 2014 13:21:00 GMT
Thanks for including your policy file and the stack trace. This appears 
to be a bug in Derby. I have filed 
https://issues.apache.org/jira/browse/DERBY-6680 to track this issue. 
Try granting the following additional permissions to derbynet.jar:

   permission java.util.PropertyPermission "derby.ui.codeset", "read";
   permission java.util.PropertyPermission "derby.ui.locale", "read";


Thanks for finding this bug,
-Rick

On 7/29/14 7:14 PM, 정용환 wrote:
>
> Thanks for reply
>
> Its my custom sucurity policy
>
> grant codeBase 
> "file:///C:\Apache\db-derby-10.8.2.2-bin-slave\lib\derby.jar"
> {
> //
> // These permissions are needed for everyday, embedded Derby usage.
> //
>   permission java.lang.RuntimePermission "createClassLoader";
>   permission java.util.PropertyPermission "derby.*", "read";
>   permission java.util.PropertyPermission "user.dir", "read";
>   permission java.util.PropertyPermission "derby.storage.jvmInstanceId",
>       "write";
>   // The next two properties are used to determine if the VM is 32 or 
> 64 bit.
>   permission java.util.PropertyPermission "sun.arch.data.model", "read";
>   permission java.util.PropertyPermission "os.arch", "read";
>   permission java.io.FilePermission "C:\derby\slave","read";
>   permission java.io.FilePermission "C:\derby\slave${/}-", 
> "read,write,delete";
>
> //
> // This permission lets a DBA reload the policy file while the server
> // is still running. The policy file is reloaded by invoking the
> // SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
> //
>   permission java.security.SecurityPermission "getPolicy";
> //
> // This permission lets you backup and restore databases
> // to and from arbitrary locations in your file system.
> //
> // This permission also lets you import/export data to and from
> // arbitrary locations in your file system.
> //
> // You may want to restrict this access to specific directories.
> //
>   permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
>
> //
> // Permissions needed for JMX based management and monitoring, which 
> is only
> // available for JVMs supporting "platform management", that is J2SE 
> 5.0 or better.
> //
> // Allows this code to create an MBeanServer:
> //
>   permission javax.management.MBeanServerPermission "createMBeanServer";
> //
> // Allows access to Derby's built-in MBeans, within the domain 
> org.apache.derby.
> // Derby must be allowed to register and unregister these MBeans.
> // It is possible to allow access only to specific MBeans, attributes or
> // operations. To fine tune this permission, see the javadoc of
> // javax.management.MBeanPermission or the JMX Instrumentation and Agent
> // Specification.
> //
>   permission javax.management.MBeanPermission 
> "org.apache.derby.*#[org.apache.derby:*]","registerMBean,unregisterMBean";
> //
> // Trusts Derby code to be a source of MBeans and to register these in 
> the MBean server.
> //
>   permission javax.management.MBeanTrustPermission "register";
>   // getProtectionDomain is an optional permission needed for printing 
> classpath
>   // information to derby.log
>   permission java.lang.RuntimePermission "getProtectionDomain";
>   //
>   // The following permission must be granted for 
> Connection.abort(Executor) to work.
>   // Note that this permission must also be granted to outer 
> (application) code domains.
>   //
>   permission java.sql.SQLPermission "callAbort";
>   permission java.net.SocketPermission "192.168.0.10:9001 
> <http://192.168.0.10:9001>", "listen";
>
>   //add to replicate
>   permission java.net.SocketPermission "192.168.0.10", "accept,resolve";
> };
> grant codeBase 
> "file:///C:\Apache\db-derby-10.8.2.2-bin-slave\lib\derbynet.jar"
> {
> //
> // This permission lets the Network Server manage connections from 
> clients.
> //
> // Accept connections from any host. Derby is listening to the host
> // interface specified via the -h option to "NetworkServerControl
> // start" on the command line, via the address parameter to the
> // org.apache.derby.drda.NetworkServerControl constructor in the API
> // or via the property derby.drda.host; the default is localhost.
> // You may want to restrict allowed hosts, e.g. to hosts in a specific
> // subdomain, e.g. "*.acme.com <http://acme.com>".
>   permission java.net.SocketPermission "*", "accept";
> //
> // Needed for server tracing.
> //
>   permission java.io.FilePermission 
> "${derby.drda.traceDirectory}${/}-", "read,write,delete";
> //
> // JMX: Uncomment this permission to allow the ping operation of the
> //      NetworkServerMBean to connect to the Network Server.
> //permission java.net.SocketPermission "*", "connect,resolve";
>
> //
> // Needed by sysinfo. The file permission is needed to
> // check the existence of jars on the classpath. You can
> // limit this permission to just the locations which hold
> // your jar files.
> //
> // In this template file, this block of permissions is granted
> // to derbynet.jar under the assumption that derbynet.jar is
> // the first jar file in your classpath which contains the
> // sysinfo classes. If that is not the case, then you will want
> // to grant this block of permissions to the first jar file
> // in your classpath which contains the sysinfo classes.
> // Those classes are bundled into the following Derby
> // jar files:
> //
> //    derbynet.jar
> //    derby.jar
> //    derbyclient.jar
> //    derbytools.jar
> //
>   permission java.util.PropertyPermission "user.*", "read";
>   permission java.util.PropertyPermission "java.home", "read";
>   permission java.util.PropertyPermission "java.class.path", "read";
>   permission java.util.PropertyPermission "java.runtime.version", "read";
>   permission java.util.PropertyPermission "java.fullversion", "read";
>   permission java.lang.RuntimePermission "getProtectionDomain";
>   permission java.io.FilePermission "<<ALL FILES>>", "read";
>   permission java.io.FilePermission "java.runtime.version", "read";
>   permission java.io.FilePermission "java.fullversion", "read";
> };
>
> And
> Following is excute script in startNetworkServer.bat
>
> "%_JAVACMD%" -Djava.security.manager 
> -Djava.security.policy=C:\Apache\db-derby-10.8.2.2-bin-slave\lib\igoServer.policy 
> -Djava.security.debug=access:failure %DERBY_OPTS% -classpath 
> "%LOCALCLASSPATH%" org.apache.derby.drda.NetworkServerControl start 
> %DERBY_CMD_LINE_ARGS%
>
>
> And there is no log in derby.log ,
> So I get log -Djava.security.debug=access:failure
>
> following is summury of excetion stack trace of the security exception
>
>
> access: access denied (java.util.PropertyPermission derby.ui.codeset read)
> java.lang.Exception: Stack trace
>         at java.lang.Thread.dumpStack(Thread.java:1206)
>         at 
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:313)
>         at 
> java.security.AccessController.checkPermission(AccessController.java:546)
>         at 
> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>         at 
> java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
>         at java.lang.System.getProperty(System.java:650)
>         at 
> org.apache.derby.iapi.tools.i18n.LocalizedResource.run(Unknown Source)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> org.apache.derby.iapi.tools.i18n.LocalizedResource.getEnvProperty(Unknown 
> Source)
>         at 
> org.apache.derby.iapi.tools.i18n.LocalizedResource.init(Unknown Source)
>         at 
> org.apache.derby.iapi.tools.i18n.LocalizedResource.<init>(Unknown Source)
>         at 
> org.apache.derby.impl.drda.NetworkServerControlImpl.init(Unknown Source)
>         at 
> org.apache.derby.impl.drda.NetworkServerControlImpl.<init>(Unknown Source)
>         at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)
> access: domain that failed ProtectionDomain  
> (file:/C:/Apache/db-derby-10.8.2.2-bin/lib/derby.jar <no signer 
> certificates>)
>  sun.misc.Launcher$AppClassLoader@19821f
> <no principals>
>  java.security.Permissions@1f7d134 (
>  (java.util.PropertyPermission line.separator read)
>  (java.util.PropertyPermission java.vm.version read)
>  (java.util.PropertyPermission java.vm.specification.version read)
>  (java.util.PropertyPermission java.vm.specification.vendor read)
>  (java.util.PropertyPermission java.vendor.url read)
>  (java.util.PropertyPermission java.vm.name <http://java.vm.name> read)
>  (java.util.PropertyPermission os.name <http://os.name> read)
>  (java.util.PropertyPermission java.vm.vendor read)
>  (java.util.PropertyPermission path.separator read)
>  (java.util.PropertyPermission java.specification.name 
> <http://java.specification.name> read)
>  (java.util.PropertyPermission os.version read)
>  (java.util.PropertyPermission os.arch read)
>  (java.util.PropertyPermission java.class.version read)
>  (java.util.PropertyPermission java.version read)
>  (java.util.PropertyPermission file.separator read)
>  (java.util.PropertyPermission java.vendor read)
>  (java.util.PropertyPermission java.vm.specification.name 
> <http://java.vm.specification.name> read)
>  (java.util.PropertyPermission java.specification.version read)
>  (java.util.PropertyPermission java.specification.vendor read)
>  (java.io.FilePermission 
> \C:\Apache\db-derby-10.8.2.2-bin\lib\derby.jar read)
>  (java.net.SocketPermission localhost:1024- listen,resolve)
>  (java.lang.RuntimePermission stopThread)
>  (java.lang.RuntimePermission exitVM)
> )
>
> access: access denied (java.util.PropertyPermission derby.ui.locale read)
> java.lang.Exception: Stack trace
>         at java.lang.Thread.dumpStack(Thread.java:1206)
>         at 
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:313)
>         at 
> java.security.AccessController.checkPermission(AccessController.java:546)
>         at 
> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>         at 
> java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
>         at java.lang.System.getProperty(System.java:650)
>         at 
> org.apache.derby.iapi.tools.i18n.LocalizedResource.run(Unknown Source)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> org.apache.derby.iapi.tools.i18n.LocalizedResource.getEnvProperty(Unknown 
> Source)
>         at 
> org.apache.derby.iapi.tools.i18n.LocalizedResource.init(Unknown Source)
>         at 
> org.apache.derby.iapi.tools.i18n.LocalizedResource.<init>(Unknown Source)
>         at 
> org.apache.derby.impl.drda.NetworkServerControlImpl.init(Unknown Source)
>         at 
> org.apache.derby.impl.drda.NetworkServerControlImpl.<init>(Unknown Source)
>         at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)
> access: domain that failed ProtectionDomain  
> (file:/C:/Apache/db-derby-10.8.2.2-bin/lib/derby.jar <no signer 
> certificates>)
>  sun.misc.Launcher$AppClassLoader@19821f
> <no principals>
>  java.security.Permissions@c7e553 (
>  (java.util.PropertyPermission line.separator read)
>  (java.util.PropertyPermission java.vm.version read)
>  (java.util.PropertyPermission java.vm.specification.version read)
>  (java.util.PropertyPermission java.vm.specification.vendor read)
>  (java.util.PropertyPermission java.vendor.url read)
>  (java.util.PropertyPermission java.vm.name <http://java.vm.name> read)
>  (java.util.PropertyPermission os.name <http://os.name> read)
>  (java.util.PropertyPermission java.vm.vendor read)
>  (java.util.PropertyPermission path.separator read)
>  (java.util.PropertyPermission java.specification.name 
> <http://java.specification.name> read)
>  (java.util.PropertyPermission os.version read)
>  (java.util.PropertyPermission os.arch read)
>  (java.util.PropertyPermission java.class.version read)
>  (java.util.PropertyPermission java.version read)
>  (java.util.PropertyPermission file.separator read)
>  (java.util.PropertyPermission java.vendor read)
>  (java.util.PropertyPermission java.vm.specification.name 
> <http://java.vm.specification.name> read)
>  (java.util.PropertyPermission java.specification.version read)
>  (java.util.PropertyPermission java.specification.vendor read)
>  (java.io.FilePermission 
> \C:\Apache\db-derby-10.8.2.2-bin\lib\derby.jar read)
>  (java.net.SocketPermission localhost:1024- listen,resolve)
>  (java.lang.RuntimePermission stopThread)
>  (java.lang.RuntimePermission exitVM)
> )
> access: access denied (java.util.PropertyPermission derby.system.home 
> read)
> java.lang.Exception: Stack trace
>         at java.lang.Thread.dumpStack(Thread.java:1206)
>         at 
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:313)
>         at 
> java.security.AccessController.checkPermission(AccessController.java:546)
>         at 
> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>         at 
> java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
>         at java.lang.System.getProperty(System.java:650)
>         at 
> org.apache.derby.impl.services.monitor.FileMonitor.PBinitialize(Unknown Source)
>         at 
> org.apache.derby.impl.services.monitor.FileMonitor.run(Unknown Source)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> org.apache.derby.impl.services.monitor.FileMonitor.initialize(Unknown 
> Source)
>         at 
> org.apache.derby.impl.services.monitor.FileMonitor.<init>(Unknown Source)
>         at 
> org.apache.derby.iapi.services.monitor.Monitor.getMonitorLite(Unknown 
> Source)
>         at 
> org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown 
> Source)
>         at 
> org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown 
> Source)
>         at 
> org.apache.derby.impl.drda.NetworkServerControlImpl.getPropertyInfo(Unknown 
> Source)
>         at 
> org.apache.derby.impl.drda.NetworkServerControlImpl.<init>(Unknown Source)
>         at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)
> access: access denied (java.io.FilePermission derby.properties read)
> java.lang.Exception: Stack trace
>         at java.lang.Thread.dumpStack(Thread.java:1206)
>         at 
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:313)
>         at 
> java.security.AccessController.checkPermission(AccessController.java:546)
>         at 
> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>         at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
>         at java.io.File.exists(File.java:731)
>         at 
> org.apache.derby.impl.services.monitor.FileMonitor.PBapplicationPropertiesStream(Unknown

> Source)
>         at 
> org.apache.derby.impl.services.monitor.FileMonitor.run(Unknown Source)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> org.apache.derby.impl.services.monitor.FileMonitor.applicationPropertiesStream(Unknown

> Source)
>         at 
> org.apache.derby.impl.services.monitor.BaseMonitor.readApplicationProperties(Unknown

> Source)
>         at 
> org.apache.derby.impl.services.monitor.FileMonitor.<init>(Unknown Source)
>         at 
> org.apache.derby.iapi.services.monitor.Monitor.getMonitorLite(Unknown 
> Source)
>         at 
> org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown 
> Source)
>         at 
> org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown 
> Source)
>         at 
> org.apache.derby.impl.drda.NetworkServerControlImpl.getPropertyInfo(Unknown 
> Source)
>         at 
> org.apache.derby.impl.drda.NetworkServerControlImpl.<init>(Unknown Source)
>         at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)
> access: access denied (java.util.PropertyPermission 
> derby.drda.logConnections read)
> java.lang.Exception: Stack trace
>         at java.lang.Thread.dumpStack(Thread.java:1206)
>         at 
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:313)
>         at 
> java.security.AccessController.checkPermission(AccessController.java:546)
>         at 
> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>         at 
> java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
>         at java.lang.System.getProperty(System.java:650)
>         at 
> org.apache.derby.impl.services.monitor.FileMonitor.PBgetJVMProperty(Unknown 
> Source)
>         at 
> org.apache.derby.impl.services.monitor.FileMonitor.run(Unknown Source)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> org.apache.derby.impl.services.monitor.FileMonitor.getJVMProperty(Unknown 
> Source)
>         at 
> org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown 
> Source)
>         at 
> org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown 
> Source)
>         at 
> org.apache.derby.impl.drda.NetworkServerControlImpl.getPropertyInfo(Unknown 
> Source)
>         at 
> org.apache.derby.impl.drda.NetworkServerControlImpl.<init>(Unknown Source)
>         at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)
>
> access: access denied (java.io.FilePermission derby.log read)
> java.lang.Exception: Stack trace
>         at java.lang.Thread.dumpStack(Thread.java:1206)
>         at 
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:313)
>         at 
> java.security.AccessController.checkPermission(AccessController.java:546)
>         at 
> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>         at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
>         at java.io.File.exists(File.java:731)
>         at 
> org.apache.derby.impl.services.stream.SingleStream.PBmakeFileHPW(Unknown 
> Source)
>         at 
> org.apache.derby.impl.services.stream.SingleStream.run(Unknown Source)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> org.apache.derby.impl.services.stream.SingleStream.makeFileHPW(Unknown 
> Source)
>         at 
> org.apache.derby.impl.services.stream.SingleStream.createDefaultStream(Unknown 
> Source)
>         at 
> org.apache.derby.impl.services.stream.SingleStream.makeStream(Unknown 
> Source)
>         at 
> org.apache.derby.impl.services.stream.SingleStream.boot(Unknown Source)
>         at 
> org.apache.derby.impl.services.monitor.BaseMonitor.boot(Unknown Source)
>         at 
> org.apache.derby.impl.services.monitor.TopService.bootModule(Unknown 
> Source)
>         at 
> org.apache.derby.impl.services.monitor.BaseMonitor.startModule(Unknown 
> Source)
>         at 
> org.apache.derby.iapi.services.monitor.Monitor.startSystemModule(Unknown 
> Source)
>         at 
> org.apache.derby.impl.services.monitor.BaseMonitor.runWithState(Unknown Source)
>         at 
> org.apache.derby.impl.services.monitor.FileMonitor.<init>(Unknown Source)
>         at 
> org.apache.derby.iapi.services.monitor.Monitor.startMonitor(Unknown 
> Source)
>         at org.apache.derby.iapi.jdbc.JDBCBoot.boot(Unknown Source)
>         at org.apache.derby.jdbc.EmbeddedDriver.boot(Unknown Source)
>         at org.apache.derby.jdbc.EmbeddedDriver.<clinit>(Unknown Source)
>         at java.lang.Class.forName0(Native Method)
>         at java.lang.Class.forName(Class.java:169)
>         at 
> org.apache.derby.impl.drda.NetworkServerControlImpl.startNetworkServer(Unknown 
> Source)
>         at 
> org.apache.derby.impl.drda.NetworkServerControlImpl.blockingStart(Unknown 
> Source)
>         at 
> org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unknown Source)
>         at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)
>
> Thank you
>
> 2014-07-29 21:48 GMT+09:00 Rick Hillegas <rick.hillegas@oracle.com 
> <mailto:rick.hillegas@oracle.com>>:
>
>     Could you attach the security policy you are using as well as the
>     derby.log file which shows the complete stack trace of the
>     security exception?
>
>     Thanks,
>     -Rick
>
>
>     On 7/28/14 10:03 PM, 정용환 wrote:
>
>
>
>         Hellow, I am derby user in korea.
>
>
>
>         I have a problem while I try to replication.
>
>
>
>         I success to replication with embeded mode.
>
>         and replication with server mode with no security manager.
>
>
>
>         but replication not work with  server mode with security manager.
>
>
>
>         manual said
>
>         "If you want to perform replication with the security manager
>         enabled, you must modify
>          the security policy file on both the master and slave systems
>         to allow the master-slave
>         network connection."
>
>
>
>         so I try to modify security policy file
>
>         follow with "Customizing the Network Server's security policy"
>         section
>
>         but when I start server with
>
>         C:\Apache\db-derby-10.8.2.2-bin-slave\bin\startNetworkServer.bat
>         -h 192.168.0.10 -p 1530
>
>         and following is part of startNetworkServer.bat
>
>         "%_JAVACMD%" -Djava.security.manager
>         -Djava.security.policy=C:\Apache\db-derby-10.8.2.2-bin-slave\lib
>         %DERBY_OPTS% -classpath "%LOCALCLASSPATH%"
>         org.apache.derby.drda.NetworkServerControl start
>         %DERBY_CMD_LINE_ARGS%
>
>         cmd log
>         "Thread[main,5,main] java.security.AccessControlException :
>         access denied (java.io.FilePermission derby.log read)"
>
>         then server start
>         but when I connect db
>         , error messege show
>         "data volume is not enough , expected minimum volume is 6 byte but
>         received volume is obyte. connect is end."
>
>         please give me hint or solution to solve that problem.
>
>         OS is window 7
>
>
>         Thank you.
>
>
>


Mime
View raw message