db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Hillegas <rick.hille...@gmail.com>
Subject Re: AccessControlException with no security manager
Date Fri, 07 Jun 2019 13:49:01 GMT
The check for the usederbyinternals permission is done by 
SecurityUtil.checkDerbyInternalsPrivilege(). That is the only place we 
check for that permission. The code itself is guarded by a check for 
whether a SecurityManager has been installed. That is, the check is ONLY 
performed when a SecurityManager is installed.

I don't know what to make of the observation that this problem started 
after upgrading to Java 8. But that might be a useful clue.

On 6/7/19 5:42 AM, Besosa, Michael wrote:
> I'll open an issue, as you suggest, with the information you 
> requested. And no, I can't provide a minimum reproducible case yet. A 
> problem with doing so is that the behavior appears to be sporadic. I 
> haven't found a way to reproduce it reliably yet.
>
> On Thu, Jun 6, 2019 at 8:15 PM Bryan Pendleton 
> <bpendleton.derby@gmail.com <mailto:bpendleton.derby@gmail.com>> wrote:
>
>     Probably best to open an issue in the Derby JIRA, to help keep the
>     conversation easy to find and track.
>
>     Can you share the complete stack trace of the AccessControlException?
>
>     Can you share a run of 'sysinfo' in a configuration where this occurs?
>
>     I don't suppose you've been able to whittle this down to a Minimum
>     Reproducible Case yet, have you?
>
>     thanks,
>
>     bryan
>
>     On Thu, Jun 6, 2019 at 6:22 AM Besosa, Michael
>     <michael.besosa@pearson.com <mailto:michael.besosa@pearson.com>>
>     wrote:
>     >
>     > We're still interested in ideas about this problem. We are
>     getting occasional AccessControlExceptions in an environment with
>     no SecurityManager installed. This behavior appears to have
>     started when we migrated our application to Java 8. It was never
>     seen prior to that. If there is additional information that would
>     be useful, please let me know.
>     >
>     > On Mon, Jun 3, 2019 at 8:17 PM Bryan Pendleton
>     <bpendleton.derby@gmail.com <mailto:bpendleton.derby@gmail.com>>
>     wrote:
>     >>
>     >> Ah, good point.
>     >>
>     >> Yes, I missed that, and yes I was thinking about the network
>     server.
>     >>
>     >> Sorry about that.
>     >>
>     >> bryan
>     >>
>     >> On Mon, Jun 3, 2019 at 8:37 AM Besosa, Michael
>     >> <michael.besosa@pearson.com
>     <mailto:michael.besosa@pearson.com>> wrote:
>     >> >
>     >> > Thinking about it a bit more, I wonder if you missed that
>     this is using the embedded engine, not the network server. I know
>     that the network server installs a security manager by default,
>     and that there is a system property that can be set to disable
>     that behavior. But that's not applicable in our situation.
>     >> >
>     >> > On Mon, Jun 3, 2019 at 8:52 AM Besosa, Michael
>     <michael.besosa@pearson.com <mailto:michael.besosa@pearson.com>>
>     wrote:
>     >> >>
>     >> >> I don't understand what you mean when you say, "Even if you
>     don't install a Java security manager...you get a security manager
>     anyway." I don't have (haven't installed) a security manager and
>     System.getSecurityManager() returns null. And if I "really,
>     really" don't want a security manager, how can I say so, other
>     than executing System.setSecurityManager(null)?
>     >> >>
>     >> >> On Fri, May 31, 2019 at 9:03 PM Bryan Pendleton
>     <bpendleton.derby@gmail.com <mailto:bpendleton.derby@gmail.com>>
>     wrote:
>     >> >>>
>     >> >>> I feel like you're probably hitting DERBY-6648:
>     >> >>>
>     https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_DERBY-2D6648&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=Hutrm_MTSwNDtab2E2bMNCxLo0eDRIZrB1B5x2AL-1k&e=
>     >> >>>
>     >> >>> Even if you don't install a Java security manager (perhaps
>     especially
>     >> >>> if that is so), you get a security manager anyway.
>     >> >>>
>     >> >>> If you really, really don't want a security manager, you
>     can say so.
>     >> >>>
>     >> >>> Or, bite the bullet and define a security manager, and start
>     >> >>> assembling the precise security policy that is right for your
>     >> >>> particular situation, as in:
>     >> >>>
>     https://urldefense.proofpoint.com/v2/url?u=https-3A__stackoverflow.com_a_52392015_193453&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=uackNzNN36boV8-m6DGN7VJOPwN4tnfuUwgQBgOmv0I&e=
>     ,
>     >> >>>
>     https://urldefense.proofpoint.com/v2/url?u=https-3A__db.apache.org_derby_docs_10.13_security_csecembeddedperms.html&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=53JhmaGEsK92jA_W0ofwQrvGLuaZ-TLXOiDawh9P3rQ&e=
>     >> >>> , etc.
>     >> >>>
>     >> >>> bryan
>     >> >>>
>     >> >>> On Fri, May 31, 2019 at 11:58 AM Besosa, Michael
>     >> >>> <michael.besosa@pearson.com
>     <mailto:michael.besosa@pearson.com>> wrote:
>     >> >>> >
>     >> >>> > We have an application that is using the Derby 10.12.1.1
>     embedded engine and Java 8. When the app executes the SELECT shown
>     below, we see an exception with the message 'access denied
>     org.apache.derby.security.SystemPermission( "engine",
>     "usederbyinternals" ): java.security.AccessControlException'.
>     >> >>> >
>     >> >>> > This application does not install a SecurityManager. I'm
>     at a bit of a loss about how to fix this.
>     >> >>> >
>     >> >>> > The query:
>     >> >>> >
>     >> >>> > SELECT
>     >> >>> >  DeliveryEvent.AppointmentStart,
>     >> >>> >         DeliveryEvent.Attempt,
>     >> >>> >  DeliveryEvent.BiometricCheckTypeCode,
>     >> >>> >         DeliveryEvent.CandidateID,
>     >> >>> >  DeliveryEvent.DeliveryStatus,
>     >> >>> >  DeliveryEvent.ExamLanguageID,
>     >> >>> >  DeliveryEvent.HasNoTestListBlock,
>     >> >>> >  DeliveryEvent.IsDisconnectedIBTDelivery,
>     >> >>> >  DeliveryEvent.NextAppointmentID,
>     >> >>> >  DeliveryEvent.ProcessStateCode,
>     >> >>> >         DeliveryEvent.ProctorID,
>     >> >>> >  DeliveryEvent.RegisteredExamVersionID,
>     >> >>> >  DeliveryEvent.RegistrationID,
>     >> >>> >  DeliveryEvent.SelectedFormID,
>     >> >>> >  DeliveryEvent.SelectedExamVersionID,
>     >> >>> >  DeliveryEvent.TerminationDate,
>     >> >>> >         DeliveryEvent.TimeLimit,
>     >> >>> >  DeliveryEvent.TimeLimitAdjust,
>     >> >>> >         Clients.Client_ID AS ClientID,
>     >> >>> >         Clients.ClientName AS ClientName,
>     >> >>> >         ExamSeries.Code AS ExamSeriesCode,
>     >> >>> >         ExamVersion.DriverID AS DriverID,
>     >> >>> >         ExamLanguage.Title AS TranslatedTitle,
>     >> >>> >         (SELECT AppUser.FirstName || ' ' ||
>     AppUser.LastName FROM ((((((AssetAppUser INNER JOIN AppUser ON
>     AssetAppUser.AppUserID = AppUser.ID) INNER JOIN AssetUsage ON
>     AssetAppUser.AssetID = AssetUsage.AssetID) INNER JOIN Asset ON
>     AssetUsage.AssetID = Asset.ID) INNER JOIN AssetType ON
>     Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetTypeProperty ON
>     AssetType.ID = AssetTypeProperty.AssetTypeID AND
>     AssetTypeProperty.AssetTypePropertyValue = 'Examiner') INNER JOIN
>     AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID =
>     AssetTypePropertyKey.AssetTypePropertyKeyID AND
>     AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass')
>     WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID)
>     FETCH FIRST 1 ROWS ONLY) AS ExaminerName,
>     >> >>> >         (SELECT Asset.Name FROM ((((Asset INNER JOIN
>     AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN
>     AssetUsage ON Asset.ID = AssetUsage.AssetID) INNER JOIN
>     AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID
>     AND AssetTypeProperty.AssetTypePropertyValue = 'Vehicle') INNER
>     JOIN AssetTypePropertyKey ON
>     AssetTypeProperty.AssetTypePropertyKeyID =
>     AssetTypePropertyKey.AssetTypePropertyKeyID AND
>     AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass')
>     WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) AND
>     (AssetType.AssetClassCode IN
>     ('Facility','Workstation','CiscoRack','TaskSchedule')) FETCH FIRST
>     1 ROWS ONLY) AS VehicleName,
>     >> >>> >         (SELECT COUNT(*) FROM (Accommodation INNER
JOIN
>     AccommodationStatus ON Accommodation.AccommodationStatusID =
>     AccommodationStatus.AccommodationStatusID AND
>     AccommodationStatus.StatusCode = 'Granted') WHERE
>     (Accommodation.OrderItemID = DeliveryEvent.RegistrationID)) AS
>     AccommodationCount,
>     >> >>> >         (SELECT COUNT(*) FROM DeliveryBlockedReason
WHERE
>     (DeliveryBlockedReason.DeliveryEventID =
>     DeliveryEvent.RegistrationID)) AS ReasonsBlockedCount,
>     >> >>> >         (SELECT DeliveryEventNext.RegistrationID
FROM
>     DeliveryEvent AS DeliveryEventNext WHERE
>     (DeliveryEvent.RegistrationID =
>     DeliveryEventNext.NextAppointmentID)) AS FirstDayRegistrationID
>     >> >>> > FROM ((((
>     >> >>> >         DeliveryEvent
>     >> >>> >         INNER JOIN ExamLanguage
>     >> >>> >                 ON DeliveryEvent.ExamLanguageID
=
>     ExamLanguage.ID)
>     >> >>> >         INNER JOIN ExamSeriesON ExamLanguage.ExamSeriesID
>     = ExamSeries.ID)
>     >> >>> > INNER JOIN Clients
>     >> >>> > ON ExamSeries.Client_ID = Clients.Client_ID)
>     >> >>> > LEFT JOIN ExamVersion
>     >> >>> > ON DeliveryEvent.RegisteredExamVersionID = ExamVersion.ID)
>     >> >>> > WHERE
>     >> >>> > (DeliveryEvent.RegistrationID = 5)
>


Mime
View raw message