db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From 정용환 <...@igo.co.kr>
Subject Re: Hellow, I have some problem in customize security policy with derby (modified)
Date Thu, 31 Jul 2014 01:43:37 GMT
Thank for reply.
I grante additional permissions to derbynet.jar:
but not work.
But I solve security policy problem with following work.

I modify
 'grant codeBase
"file:///C:\Apache\db-derby-10.8.2.2-bin-slave\lib\derbynet.jar"
'
to
 'grant codeBase
"file:///C:/Apache/db-derby-10.8.2.2-bin-slave/lib/derbynet.jar"
'
and
before start slave server I set DERBY_HOME with slave database installed
path
setx DERBY_HOME C:\Apache\db-derby-10.8.2.2-bin-slave

then server start nicely and replication work propery.

thanks a lot .

YongHwan ,Jung


2014-07-30 22:21 GMT+09:00 Rick Hillegas <rick.hillegas@oracle.com>:

> Thanks for including your policy file and the stack trace. This appears to
> be a bug in Derby. I have filed https://issues.apache.org/
> jira/browse/DERBY-6680 to track this issue. Try granting the following
> additional permissions to derbynet.jar:
>
>   permission java.util.PropertyPermission "derby.ui.codeset", "read";
>   permission java.util.PropertyPermission "derby.ui.locale", "read";
>
>
> Thanks for finding this bug,
> -Rick
>
>
> On 7/29/14 7:14 PM, 정용환 wrote:
>
>>
>> Thanks for reply
>>
>> Its my custom sucurity policy
>>
>> grant codeBase "file:///C:\Apache\db-derby-10.8.2.2-bin-slave\lib\derby.
>> jar"
>> {
>> //
>> // These permissions are needed for everyday, embedded Derby usage.
>> //
>>   permission java.lang.RuntimePermission "createClassLoader";
>>   permission java.util.PropertyPermission "derby.*", "read";
>>   permission java.util.PropertyPermission "user.dir", "read";
>>   permission java.util.PropertyPermission "derby.storage.jvmInstanceId",
>>       "write";
>>   // The next two properties are used to determine if the VM is 32 or 64
>> bit.
>>   permission java.util.PropertyPermission "sun.arch.data.model", "read";
>>   permission java.util.PropertyPermission "os.arch", "read";
>>   permission java.io.FilePermission "C:\derby\slave","read";
>>   permission java.io.FilePermission "C:\derby\slave${/}-",
>> "read,write,delete";
>>
>> //
>> // This permission lets a DBA reload the policy file while the server
>> // is still running. The policy file is reloaded by invoking the
>> // SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
>> //
>>   permission java.security.SecurityPermission "getPolicy";
>> //
>> // This permission lets you backup and restore databases
>> // to and from arbitrary locations in your file system.
>> //
>> // This permission also lets you import/export data to and from
>> // arbitrary locations in your file system.
>> //
>> // You may want to restrict this access to specific directories.
>> //
>>   permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
>>
>> //
>> // Permissions needed for JMX based management and monitoring, which is
>> only
>> // available for JVMs supporting "platform management", that is J2SE 5.0
>> or better.
>> //
>> // Allows this code to create an MBeanServer:
>> //
>>   permission javax.management.MBeanServerPermission "createMBeanServer";
>> //
>> // Allows access to Derby's built-in MBeans, within the domain
>> org.apache.derby.
>> // Derby must be allowed to register and unregister these MBeans.
>> // It is possible to allow access only to specific MBeans, attributes or
>> // operations. To fine tune this permission, see the javadoc of
>> // javax.management.MBeanPermission or the JMX Instrumentation and Agent
>> // Specification.
>> //
>>   permission javax.management.MBeanPermission "org.apache.derby.*#[org.
>> apache.derby:*]","registerMBean,unregisterMBean";
>> //
>> // Trusts Derby code to be a source of MBeans and to register these in
>> the MBean server.
>> //
>>   permission javax.management.MBeanTrustPermission "register";
>>   // getProtectionDomain is an optional permission needed for printing
>> classpath
>>   // information to derby.log
>>   permission java.lang.RuntimePermission "getProtectionDomain";
>>   //
>>   // The following permission must be granted for
>> Connection.abort(Executor) to work.
>>   // Note that this permission must also be granted to outer
>> (application) code domains.
>>   //
>>   permission java.sql.SQLPermission "callAbort";
>>   permission java.net.SocketPermission "192.168.0.10:9001 <
>> http://192.168.0.10:9001>", "listen";
>>
>>
>>   //add to replicate
>>   permission java.net.SocketPermission "192.168.0.10", "accept,resolve";
>> };
>> grant codeBase "file:///C:\Apache\db-derby-10.8.2.2-bin-slave\lib\
>> derbynet.jar"
>> {
>> //
>> // This permission lets the Network Server manage connections from
>> clients.
>> //
>> // Accept connections from any host. Derby is listening to the host
>> // interface specified via the -h option to "NetworkServerControl
>> // start" on the command line, via the address parameter to the
>> // org.apache.derby.drda.NetworkServerControl constructor in the API
>> // or via the property derby.drda.host; the default is localhost.
>> // You may want to restrict allowed hosts, e.g. to hosts in a specific
>> // subdomain, e.g. "*.acme.com <http://acme.com>".
>>
>>   permission java.net.SocketPermission "*", "accept";
>> //
>> // Needed for server tracing.
>> //
>>   permission java.io.FilePermission "${derby.drda.traceDirectory}${/}-",
>> "read,write,delete";
>> //
>> // JMX: Uncomment this permission to allow the ping operation of the
>> //      NetworkServerMBean to connect to the Network Server.
>> //permission java.net.SocketPermission "*", "connect,resolve";
>>
>> //
>> // Needed by sysinfo. The file permission is needed to
>> // check the existence of jars on the classpath. You can
>> // limit this permission to just the locations which hold
>> // your jar files.
>> //
>> // In this template file, this block of permissions is granted
>> // to derbynet.jar under the assumption that derbynet.jar is
>> // the first jar file in your classpath which contains the
>> // sysinfo classes. If that is not the case, then you will want
>> // to grant this block of permissions to the first jar file
>> // in your classpath which contains the sysinfo classes.
>> // Those classes are bundled into the following Derby
>> // jar files:
>> //
>> //    derbynet.jar
>> //    derby.jar
>> //    derbyclient.jar
>> //    derbytools.jar
>> //
>>   permission java.util.PropertyPermission "user.*", "read";
>>   permission java.util.PropertyPermission "java.home", "read";
>>   permission java.util.PropertyPermission "java.class.path", "read";
>>   permission java.util.PropertyPermission "java.runtime.version", "read";
>>   permission java.util.PropertyPermission "java.fullversion", "read";
>>   permission java.lang.RuntimePermission "getProtectionDomain";
>>   permission java.io.FilePermission "<<ALL FILES>>", "read";
>>   permission java.io.FilePermission "java.runtime.version", "read";
>>   permission java.io.FilePermission "java.fullversion", "read";
>> };
>>
>> And
>> Following is excute script in startNetworkServer.bat
>>
>> "%_JAVACMD%" -Djava.security.manager -Djava.security.policy=C:\
>> Apache\db-derby-10.8.2.2-bin-slave\lib\igoServer.policy
>> -Djava.security.debug=access:failure %DERBY_OPTS% -classpath
>> "%LOCALCLASSPATH%" org.apache.derby.drda.NetworkServerControl start
>> %DERBY_CMD_LINE_ARGS%
>>
>>
>> And there is no log in derby.log ,
>> So I get log -Djava.security.debug=access:failure
>>
>> following is summury of excetion stack trace of the security exception
>>
>>
>> access: access denied (java.util.PropertyPermission derby.ui.codeset read)
>> java.lang.Exception: Stack trace
>>         at java.lang.Thread.dumpStack(Thread.java:1206)
>>         at java.security.AccessControlContext.checkPermission(
>> AccessControlContext.java:313)
>>         at java.security.AccessController.checkPermission(
>> AccessController.java:546)
>>         at java.lang.SecurityManager.checkPermission(
>> SecurityManager.java:532)
>>         at java.lang.SecurityManager.checkPropertyAccess(
>> SecurityManager.java:1285)
>>         at java.lang.System.getProperty(System.java:650)
>>         at org.apache.derby.iapi.tools.i18n.LocalizedResource.run(Unknown
>> Source)
>>         at java.security.AccessController.doPrivileged(Native Method)
>>         at org.apache.derby.iapi.tools.i18n.LocalizedResource.getEnvProperty(Unknown
>> Source)
>>         at org.apache.derby.iapi.tools.i18n.LocalizedResource.init(Unknown
>> Source)
>>         at org.apache.derby.iapi.tools.i18n.LocalizedResource.<init>(Unknown
>> Source)
>>         at org.apache.derby.impl.drda.NetworkServerControlImpl.init(Unknown
>> Source)
>>         at org.apache.derby.impl.drda.NetworkServerControlImpl.<init>(Unknown
>> Source)
>>         at org.apache.derby.drda.NetworkServerControl.main(Unknown
>> Source)
>> access: domain that failed ProtectionDomain  (file:/C:/Apache/db-derby-10.8.2.2-bin/lib/derby.jar
>> <no signer certificates>)
>>  sun.misc.Launcher$AppClassLoader@19821f
>> <no principals>
>>  java.security.Permissions@1f7d134 (
>>  (java.util.PropertyPermission line.separator read)
>>  (java.util.PropertyPermission java.vm.version read)
>>  (java.util.PropertyPermission java.vm.specification.version read)
>>  (java.util.PropertyPermission java.vm.specification.vendor read)
>>  (java.util.PropertyPermission java.vendor.url read)
>>  (java.util.PropertyPermission java.vm.name <http://java.vm.name> read)
>>  (java.util.PropertyPermission os.name <http://os.name> read)
>>
>>  (java.util.PropertyPermission java.vm.vendor read)
>>  (java.util.PropertyPermission path.separator read)
>>  (java.util.PropertyPermission java.specification.name <
>> http://java.specification.name> read)
>>
>>  (java.util.PropertyPermission os.version read)
>>  (java.util.PropertyPermission os.arch read)
>>  (java.util.PropertyPermission java.class.version read)
>>  (java.util.PropertyPermission java.version read)
>>  (java.util.PropertyPermission file.separator read)
>>  (java.util.PropertyPermission java.vendor read)
>>  (java.util.PropertyPermission java.vm.specification.name <
>> http://java.vm.specification.name> read)
>>
>>  (java.util.PropertyPermission java.specification.version read)
>>  (java.util.PropertyPermission java.specification.vendor read)
>>  (java.io.FilePermission \C:\Apache\db-derby-10.8.2.2-bin\lib\derby.jar
>> read)
>>  (java.net.SocketPermission localhost:1024- listen,resolve)
>>  (java.lang.RuntimePermission stopThread)
>>  (java.lang.RuntimePermission exitVM)
>> )
>>
>> access: access denied (java.util.PropertyPermission derby.ui.locale read)
>> java.lang.Exception: Stack trace
>>         at java.lang.Thread.dumpStack(Thread.java:1206)
>>         at java.security.AccessControlContext.checkPermission(
>> AccessControlContext.java:313)
>>         at java.security.AccessController.checkPermission(
>> AccessController.java:546)
>>         at java.lang.SecurityManager.checkPermission(
>> SecurityManager.java:532)
>>         at java.lang.SecurityManager.checkPropertyAccess(
>> SecurityManager.java:1285)
>>         at java.lang.System.getProperty(System.java:650)
>>         at org.apache.derby.iapi.tools.i18n.LocalizedResource.run(Unknown
>> Source)
>>         at java.security.AccessController.doPrivileged(Native Method)
>>         at org.apache.derby.iapi.tools.i18n.LocalizedResource.getEnvProperty(Unknown
>> Source)
>>         at org.apache.derby.iapi.tools.i18n.LocalizedResource.init(Unknown
>> Source)
>>         at org.apache.derby.iapi.tools.i18n.LocalizedResource.<init>(Unknown
>> Source)
>>         at org.apache.derby.impl.drda.NetworkServerControlImpl.init(Unknown
>> Source)
>>         at org.apache.derby.impl.drda.NetworkServerControlImpl.<init>(Unknown
>> Source)
>>         at org.apache.derby.drda.NetworkServerControl.main(Unknown
>> Source)
>> access: domain that failed ProtectionDomain  (file:/C:/Apache/db-derby-10.8.2.2-bin/lib/derby.jar
>> <no signer certificates>)
>>  sun.misc.Launcher$AppClassLoader@19821f
>> <no principals>
>>  java.security.Permissions@c7e553 (
>>  (java.util.PropertyPermission line.separator read)
>>  (java.util.PropertyPermission java.vm.version read)
>>  (java.util.PropertyPermission java.vm.specification.version read)
>>  (java.util.PropertyPermission java.vm.specification.vendor read)
>>  (java.util.PropertyPermission java.vendor.url read)
>>  (java.util.PropertyPermission java.vm.name <http://java.vm.name> read)
>>  (java.util.PropertyPermission os.name <http://os.name> read)
>>
>>  (java.util.PropertyPermission java.vm.vendor read)
>>  (java.util.PropertyPermission path.separator read)
>>  (java.util.PropertyPermission java.specification.name <
>> http://java.specification.name> read)
>>
>>  (java.util.PropertyPermission os.version read)
>>  (java.util.PropertyPermission os.arch read)
>>  (java.util.PropertyPermission java.class.version read)
>>  (java.util.PropertyPermission java.version read)
>>  (java.util.PropertyPermission file.separator read)
>>  (java.util.PropertyPermission java.vendor read)
>>  (java.util.PropertyPermission java.vm.specification.name <
>> http://java.vm.specification.name> read)
>>
>>  (java.util.PropertyPermission java.specification.version read)
>>  (java.util.PropertyPermission java.specification.vendor read)
>>  (java.io.FilePermission \C:\Apache\db-derby-10.8.2.2-bin\lib\derby.jar
>> read)
>>  (java.net.SocketPermission localhost:1024- listen,resolve)
>>  (java.lang.RuntimePermission stopThread)
>>  (java.lang.RuntimePermission exitVM)
>> )
>> access: access denied (java.util.PropertyPermission derby.system.home
>> read)
>> java.lang.Exception: Stack trace
>>         at java.lang.Thread.dumpStack(Thread.java:1206)
>>         at java.security.AccessControlContext.checkPermission(
>> AccessControlContext.java:313)
>>         at java.security.AccessController.checkPermission(
>> AccessController.java:546)
>>         at java.lang.SecurityManager.checkPermission(
>> SecurityManager.java:532)
>>         at java.lang.SecurityManager.checkPropertyAccess(
>> SecurityManager.java:1285)
>>         at java.lang.System.getProperty(System.java:650)
>>         at org.apache.derby.impl.services.monitor.FileMonitor.PBinitialize(Unknown
>> Source)
>>         at org.apache.derby.impl.services.monitor.FileMonitor.run(Unknown
>> Source)
>>         at java.security.AccessController.doPrivileged(Native Method)
>>         at org.apache.derby.impl.services.monitor.FileMonitor.initialize(Unknown
>> Source)
>>         at org.apache.derby.impl.services.monitor.FileMonitor.<init>(Unknown
>> Source)
>>         at org.apache.derby.iapi.services.monitor.Monitor.getMonitorLite(Unknown
>> Source)
>>         at org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown
>> Source)
>>         at org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown
>> Source)
>>         at org.apache.derby.impl.drda.NetworkServerControlImpl.getPropertyInfo(Unknown
>> Source)
>>         at org.apache.derby.impl.drda.NetworkServerControlImpl.<init>(Unknown
>> Source)
>>         at org.apache.derby.drda.NetworkServerControl.main(Unknown
>> Source)
>> access: access denied (java.io.FilePermission derby.properties read)
>> java.lang.Exception: Stack trace
>>         at java.lang.Thread.dumpStack(Thread.java:1206)
>>         at java.security.AccessControlContext.checkPermission(
>> AccessControlContext.java:313)
>>         at java.security.AccessController.checkPermission(
>> AccessController.java:546)
>>         at java.lang.SecurityManager.checkPermission(
>> SecurityManager.java:532)
>>         at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
>>         at java.io.File.exists(File.java:731)
>>         at org.apache.derby.impl.services.monitor.FileMonitor.
>> PBapplicationPropertiesStream(Unknown Source)
>>         at org.apache.derby.impl.services.monitor.FileMonitor.run(Unknown
>> Source)
>>         at java.security.AccessController.doPrivileged(Native Method)
>>         at org.apache.derby.impl.services.monitor.FileMonitor.
>> applicationPropertiesStream(Unknown Source)
>>         at org.apache.derby.impl.services.monitor.BaseMonitor.
>> readApplicationProperties(Unknown Source)
>>         at org.apache.derby.impl.services.monitor.FileMonitor.<init>(Unknown
>> Source)
>>         at org.apache.derby.iapi.services.monitor.Monitor.getMonitorLite(Unknown
>> Source)
>>         at org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown
>> Source)
>>         at org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown
>> Source)
>>         at org.apache.derby.impl.drda.NetworkServerControlImpl.getPropertyInfo(Unknown
>> Source)
>>         at org.apache.derby.impl.drda.NetworkServerControlImpl.<init>(Unknown
>> Source)
>>         at org.apache.derby.drda.NetworkServerControl.main(Unknown
>> Source)
>> access: access denied (java.util.PropertyPermission
>> derby.drda.logConnections read)
>> java.lang.Exception: Stack trace
>>         at java.lang.Thread.dumpStack(Thread.java:1206)
>>         at java.security.AccessControlContext.checkPermission(
>> AccessControlContext.java:313)
>>         at java.security.AccessController.checkPermission(
>> AccessController.java:546)
>>         at java.lang.SecurityManager.checkPermission(
>> SecurityManager.java:532)
>>         at java.lang.SecurityManager.checkPropertyAccess(
>> SecurityManager.java:1285)
>>         at java.lang.System.getProperty(System.java:650)
>>         at org.apache.derby.impl.services.monitor.FileMonitor.PBgetJVMProperty(Unknown
>> Source)
>>         at org.apache.derby.impl.services.monitor.FileMonitor.run(Unknown
>> Source)
>>         at java.security.AccessController.doPrivileged(Native Method)
>>         at org.apache.derby.impl.services.monitor.FileMonitor.getJVMProperty(Unknown
>> Source)
>>         at org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown
>> Source)
>>         at org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown
>> Source)
>>         at org.apache.derby.impl.drda.NetworkServerControlImpl.getPropertyInfo(Unknown
>> Source)
>>         at org.apache.derby.impl.drda.NetworkServerControlImpl.<init>(Unknown
>> Source)
>>         at org.apache.derby.drda.NetworkServerControl.main(Unknown
>> Source)
>>
>> access: access denied (java.io.FilePermission derby.log read)
>> java.lang.Exception: Stack trace
>>         at java.lang.Thread.dumpStack(Thread.java:1206)
>>         at java.security.AccessControlContext.checkPermission(
>> AccessControlContext.java:313)
>>         at java.security.AccessController.checkPermission(
>> AccessController.java:546)
>>         at java.lang.SecurityManager.checkPermission(
>> SecurityManager.java:532)
>>         at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
>>         at java.io.File.exists(File.java:731)
>>         at org.apache.derby.impl.services.stream.SingleStream.PBmakeFileHPW(Unknown
>> Source)
>>         at org.apache.derby.impl.services.stream.SingleStream.run(Unknown
>> Source)
>>         at java.security.AccessController.doPrivileged(Native Method)
>>         at org.apache.derby.impl.services.stream.SingleStream.makeFileHPW(Unknown
>> Source)
>>         at org.apache.derby.impl.services.stream.SingleStream.createDefaultStream(Unknown
>> Source)
>>         at org.apache.derby.impl.services.stream.SingleStream.makeStream(Unknown
>> Source)
>>         at org.apache.derby.impl.services.stream.SingleStream.boot(Unknown
>> Source)
>>         at org.apache.derby.impl.services.monitor.BaseMonitor.boot(Unknown
>> Source)
>>         at org.apache.derby.impl.services.monitor.TopService.bootModule(Unknown
>> Source)
>>         at org.apache.derby.impl.services.monitor.BaseMonitor.startModule(Unknown
>> Source)
>>         at org.apache.derby.iapi.services.monitor.Monitor.startSystemModule(Unknown
>> Source)
>>         at org.apache.derby.impl.services.monitor.BaseMonitor.runWithState(Unknown
>> Source)
>>         at org.apache.derby.impl.services.monitor.FileMonitor.<init>(Unknown
>> Source)
>>         at org.apache.derby.iapi.services.monitor.Monitor.startMonitor(Unknown
>> Source)
>>         at org.apache.derby.iapi.jdbc.JDBCBoot.boot(Unknown Source)
>>         at org.apache.derby.jdbc.EmbeddedDriver.boot(Unknown Source)
>>         at org.apache.derby.jdbc.EmbeddedDriver.<clinit>(Unknown Source)
>>         at java.lang.Class.forName0(Native Method)
>>         at java.lang.Class.forName(Class.java:169)
>>         at org.apache.derby.impl.drda.NetworkServerControlImpl.startNetworkServer(Unknown
>> Source)
>>         at org.apache.derby.impl.drda.NetworkServerControlImpl.blockingStart(Unknown
>> Source)
>>         at org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unknown
>> Source)
>>         at org.apache.derby.drda.NetworkServerControl.main(Unknown
>> Source)
>>
>> Thank you
>>
>> 2014-07-29 21:48 GMT+09:00 Rick Hillegas <rick.hillegas@oracle.com
>> <mailto:rick.hillegas@oracle.com>>:
>>
>>
>>     Could you attach the security policy you are using as well as the
>>     derby.log file which shows the complete stack trace of the
>>     security exception?
>>
>>     Thanks,
>>     -Rick
>>
>>
>>     On 7/28/14 10:03 PM, 정용환 wrote:
>>
>>
>>
>>         Hellow, I am derby user in korea.
>>
>>
>>
>>         I have a problem while I try to replication.
>>
>>
>>
>>         I success to replication with embeded mode.
>>
>>         and replication with server mode with no security manager.
>>
>>
>>
>>         but replication not work with  server mode with security manager.
>>
>>
>>
>>         manual said
>>
>>         "If you want to perform replication with the security manager
>>         enabled, you must modify
>>          the security policy file on both the master and slave systems
>>         to allow the master-slave
>>         network connection."
>>
>>
>>
>>         so I try to modify security policy file
>>
>>         follow with "Customizing the Network Server's security policy"
>>         section
>>
>>         but when I start server with
>>
>>         C:\Apache\db-derby-10.8.2.2-bin-slave\bin\startNetworkServer.bat
>>         -h 192.168.0.10 -p 1530
>>
>>         and following is part of startNetworkServer.bat
>>
>>         "%_JAVACMD%" -Djava.security.manager
>>         -Djava.security.policy=C:\Apache\db-derby-10.8.2.2-bin-slave\lib
>>         %DERBY_OPTS% -classpath "%LOCALCLASSPATH%"
>>         org.apache.derby.drda.NetworkServerControl start
>>         %DERBY_CMD_LINE_ARGS%
>>
>>         cmd log
>>         "Thread[main,5,main] java.security.AccessControlException :
>>         access denied (java.io.FilePermission derby.log read)"
>>
>>         then server start
>>         but when I connect db
>>         , error messege show
>>         "data volume is not enough , expected minimum volume is 6 byte but
>>         received volume is obyte. connect is end."
>>
>>         please give me hint or solution to solve that problem.
>>
>>         OS is window 7
>>
>>
>>         Thank you.
>>
>>
>>
>>
>

Mime
View raw message