AccessControlException with no security manager

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

AccessControlException with no security manager

Besosa, Michael
We have an application that is using the Derby 10.12.1.1 embedded engine and Java 8. When the app executes the SELECT shown below, we see an exception with the message 'access denied org.apache.derby.security.SystemPermission( "engine", "usederbyinternals" ): java.security.AccessControlException'.

This application does not install a SecurityManager. I'm at a bit of a loss about how to fix this.

The query:

SELECT
        DeliveryEvent.AppointmentStart,
        DeliveryEvent.Attempt,
        DeliveryEvent.BiometricCheckTypeCode,
        DeliveryEvent.CandidateID,
        DeliveryEvent.DeliveryStatus,
        DeliveryEvent.ExamLanguageID,
        DeliveryEvent.HasNoTestListBlock,
        DeliveryEvent.IsDisconnectedIBTDelivery,
        DeliveryEvent.NextAppointmentID,
        DeliveryEvent.ProcessStateCode,
        DeliveryEvent.ProctorID,
        DeliveryEvent.RegisteredExamVersionID,
        DeliveryEvent.RegistrationID,
        DeliveryEvent.SelectedFormID,
        DeliveryEvent.SelectedExamVersionID,
        DeliveryEvent.TerminationDate,
        DeliveryEvent.TimeLimit,
        DeliveryEvent.TimeLimitAdjust,
        Clients.Client_ID AS ClientID,
        Clients.ClientName AS ClientName,
        ExamSeries.Code AS ExamSeriesCode,
        ExamVersion.DriverID AS DriverID,
        ExamLanguage.Title AS TranslatedTitle,
        (SELECT AppUser.FirstName || ' ' || AppUser.LastName FROM ((((((AssetAppUser INNER JOIN AppUser ON AssetAppUser.AppUserID = AppUser.ID) INNER JOIN AssetUsage ON AssetAppUser.AssetID = AssetUsage.AssetID) INNER JOIN Asset ON AssetUsage.AssetID = Asset.ID) INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Examiner') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) FETCH FIRST 1 ROWS ONLY) AS ExaminerName,
        (SELECT Asset.Name FROM ((((Asset INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetUsage ON Asset.ID = AssetUsage.AssetID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Vehicle') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) AND (AssetType.AssetClassCode IN ('Facility','Workstation','CiscoRack','TaskSchedule')) FETCH FIRST 1 ROWS ONLY) AS VehicleName,
        (SELECT COUNT(*) FROM (Accommodation INNER JOIN AccommodationStatus ON Accommodation.AccommodationStatusID = AccommodationStatus.AccommodationStatusID AND AccommodationStatus.StatusCode = 'Granted') WHERE (Accommodation.OrderItemID = DeliveryEvent.RegistrationID)) AS AccommodationCount,
        (SELECT COUNT(*) FROM DeliveryBlockedReason WHERE (DeliveryBlockedReason.DeliveryEventID = DeliveryEvent.RegistrationID)) AS ReasonsBlockedCount,
        (SELECT DeliveryEventNext.RegistrationID FROM DeliveryEvent AS DeliveryEventNext WHERE (DeliveryEvent.RegistrationID = DeliveryEventNext.NextAppointmentID)) AS FirstDayRegistrationID
FROM ((((
        DeliveryEvent
        INNER JOIN ExamLanguage
                ON DeliveryEvent.ExamLanguageID = ExamLanguage.ID)
        INNER JOIN ExamSeriesON ExamLanguage.ExamSeriesID = ExamSeries.ID)
INNER JOIN Clients
ON ExamSeries.Client_ID = Clients.Client_ID)
LEFT JOIN ExamVersion
ON DeliveryEvent.RegisteredExamVersionID = ExamVersion.ID)
WHERE
(DeliveryEvent.RegistrationID = 5)
Reply | Threaded
Open this post in threaded view
|

Re: AccessControlException with no security manager

Bryan Pendleton-3
I feel like you're probably hitting DERBY-6648:
https://issues.apache.org/jira/browse/DERBY-6648

Even if you don't install a Java security manager (perhaps especially
if that is so), you get a security manager anyway.

If you really, really don't want a security manager, you can say so.

Or, bite the bullet and define a security manager, and start
assembling the precise security policy that is right for your
particular situation, as in:
https://stackoverflow.com/a/52392015/193453 ,
https://db.apache.org/derby/docs/10.13/security/csecembeddedperms.html
, etc.

bryan

On Fri, May 31, 2019 at 11:58 AM Besosa, Michael
<[hidden email]> wrote:

>
> We have an application that is using the Derby 10.12.1.1 embedded engine and Java 8. When the app executes the SELECT shown below, we see an exception with the message 'access denied org.apache.derby.security.SystemPermission( "engine", "usederbyinternals" ): java.security.AccessControlException'.
>
> This application does not install a SecurityManager. I'm at a bit of a loss about how to fix this.
>
> The query:
>
> SELECT
>         DeliveryEvent.AppointmentStart,
>         DeliveryEvent.Attempt,
>         DeliveryEvent.BiometricCheckTypeCode,
>         DeliveryEvent.CandidateID,
>         DeliveryEvent.DeliveryStatus,
>         DeliveryEvent.ExamLanguageID,
>         DeliveryEvent.HasNoTestListBlock,
>         DeliveryEvent.IsDisconnectedIBTDelivery,
>         DeliveryEvent.NextAppointmentID,
>         DeliveryEvent.ProcessStateCode,
>         DeliveryEvent.ProctorID,
>         DeliveryEvent.RegisteredExamVersionID,
>         DeliveryEvent.RegistrationID,
>         DeliveryEvent.SelectedFormID,
>         DeliveryEvent.SelectedExamVersionID,
>         DeliveryEvent.TerminationDate,
>         DeliveryEvent.TimeLimit,
>         DeliveryEvent.TimeLimitAdjust,
>         Clients.Client_ID AS ClientID,
>         Clients.ClientName AS ClientName,
>         ExamSeries.Code AS ExamSeriesCode,
>         ExamVersion.DriverID AS DriverID,
>         ExamLanguage.Title AS TranslatedTitle,
>         (SELECT AppUser.FirstName || ' ' || AppUser.LastName FROM ((((((AssetAppUser INNER JOIN AppUser ON AssetAppUser.AppUserID = AppUser.ID) INNER JOIN AssetUsage ON AssetAppUser.AssetID = AssetUsage.AssetID) INNER JOIN Asset ON AssetUsage.AssetID = Asset.ID) INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Examiner') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) FETCH FIRST 1 ROWS ONLY) AS ExaminerName,
>         (SELECT Asset.Name FROM ((((Asset INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetUsage ON Asset.ID = AssetUsage.AssetID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Vehicle') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) AND (AssetType.AssetClassCode IN ('Facility','Workstation','CiscoRack','TaskSchedule')) FETCH FIRST 1 ROWS ONLY) AS VehicleName,
>         (SELECT COUNT(*) FROM (Accommodation INNER JOIN AccommodationStatus ON Accommodation.AccommodationStatusID = AccommodationStatus.AccommodationStatusID AND AccommodationStatus.StatusCode = 'Granted') WHERE (Accommodation.OrderItemID = DeliveryEvent.RegistrationID)) AS AccommodationCount,
>         (SELECT COUNT(*) FROM DeliveryBlockedReason WHERE (DeliveryBlockedReason.DeliveryEventID = DeliveryEvent.RegistrationID)) AS ReasonsBlockedCount,
>         (SELECT DeliveryEventNext.RegistrationID FROM DeliveryEvent AS DeliveryEventNext WHERE (DeliveryEvent.RegistrationID = DeliveryEventNext.NextAppointmentID)) AS FirstDayRegistrationID
> FROM ((((
>         DeliveryEvent
>         INNER JOIN ExamLanguage
>                 ON DeliveryEvent.ExamLanguageID = ExamLanguage.ID)
>         INNER JOIN ExamSeriesON ExamLanguage.ExamSeriesID = ExamSeries.ID)
> INNER JOIN Clients
> ON ExamSeries.Client_ID = Clients.Client_ID)
> LEFT JOIN ExamVersion
> ON DeliveryEvent.RegisteredExamVersionID = ExamVersion.ID)
> WHERE
> (DeliveryEvent.RegistrationID = 5)
Reply | Threaded
Open this post in threaded view
|

Re: AccessControlException with no security manager

Besosa, Michael
I don't understand what you mean when you say, "Even if you don't install a Java security manager...you get a security manager anyway." I don't have (haven't installed) a security manager and System.getSecurityManager() returns null. And if I "really, really" don't want a security manager, how can I say so, other than executing System.setSecurityManager(null)?

On Fri, May 31, 2019 at 9:03 PM Bryan Pendleton <[hidden email]> wrote:
I feel like you're probably hitting DERBY-6648:
https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_DERBY-2D6648&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=Hutrm_MTSwNDtab2E2bMNCxLo0eDRIZrB1B5x2AL-1k&e=

Even if you don't install a Java security manager (perhaps especially
if that is so), you get a security manager anyway.

If you really, really don't want a security manager, you can say so.

Or, bite the bullet and define a security manager, and start
assembling the precise security policy that is right for your
particular situation, as in:
https://urldefense.proofpoint.com/v2/url?u=https-3A__stackoverflow.com_a_52392015_193453&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=uackNzNN36boV8-m6DGN7VJOPwN4tnfuUwgQBgOmv0I&e=  ,
https://urldefense.proofpoint.com/v2/url?u=https-3A__db.apache.org_derby_docs_10.13_security_csecembeddedperms.html&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=53JhmaGEsK92jA_W0ofwQrvGLuaZ-TLXOiDawh9P3rQ&e=
, etc.

bryan

On Fri, May 31, 2019 at 11:58 AM Besosa, Michael
<[hidden email]> wrote:
>
> We have an application that is using the Derby 10.12.1.1 embedded engine and Java 8. When the app executes the SELECT shown below, we see an exception with the message 'access denied org.apache.derby.security.SystemPermission( "engine", "usederbyinternals" ): java.security.AccessControlException'.
>
> This application does not install a SecurityManager. I'm at a bit of a loss about how to fix this.
>
> The query:
>
> SELECT
>         DeliveryEvent.AppointmentStart,
>         DeliveryEvent.Attempt,
>         DeliveryEvent.BiometricCheckTypeCode,
>         DeliveryEvent.CandidateID,
>         DeliveryEvent.DeliveryStatus,
>         DeliveryEvent.ExamLanguageID,
>         DeliveryEvent.HasNoTestListBlock,
>         DeliveryEvent.IsDisconnectedIBTDelivery,
>         DeliveryEvent.NextAppointmentID,
>         DeliveryEvent.ProcessStateCode,
>         DeliveryEvent.ProctorID,
>         DeliveryEvent.RegisteredExamVersionID,
>         DeliveryEvent.RegistrationID,
>         DeliveryEvent.SelectedFormID,
>         DeliveryEvent.SelectedExamVersionID,
>         DeliveryEvent.TerminationDate,
>         DeliveryEvent.TimeLimit,
>         DeliveryEvent.TimeLimitAdjust,
>         Clients.Client_ID AS ClientID,
>         Clients.ClientName AS ClientName,
>         ExamSeries.Code AS ExamSeriesCode,
>         ExamVersion.DriverID AS DriverID,
>         ExamLanguage.Title AS TranslatedTitle,
>         (SELECT AppUser.FirstName || ' ' || AppUser.LastName FROM ((((((AssetAppUser INNER JOIN AppUser ON AssetAppUser.AppUserID = AppUser.ID) INNER JOIN AssetUsage ON AssetAppUser.AssetID = AssetUsage.AssetID) INNER JOIN Asset ON AssetUsage.AssetID = Asset.ID) INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Examiner') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) FETCH FIRST 1 ROWS ONLY) AS ExaminerName,
>         (SELECT Asset.Name FROM ((((Asset INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetUsage ON Asset.ID = AssetUsage.AssetID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Vehicle') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) AND (AssetType.AssetClassCode IN ('Facility','Workstation','CiscoRack','TaskSchedule')) FETCH FIRST 1 ROWS ONLY) AS VehicleName,
>         (SELECT COUNT(*) FROM (Accommodation INNER JOIN AccommodationStatus ON Accommodation.AccommodationStatusID = AccommodationStatus.AccommodationStatusID AND AccommodationStatus.StatusCode = 'Granted') WHERE (Accommodation.OrderItemID = DeliveryEvent.RegistrationID)) AS AccommodationCount,
>         (SELECT COUNT(*) FROM DeliveryBlockedReason WHERE (DeliveryBlockedReason.DeliveryEventID = DeliveryEvent.RegistrationID)) AS ReasonsBlockedCount,
>         (SELECT DeliveryEventNext.RegistrationID FROM DeliveryEvent AS DeliveryEventNext WHERE (DeliveryEvent.RegistrationID = DeliveryEventNext.NextAppointmentID)) AS FirstDayRegistrationID
> FROM ((((
>         DeliveryEvent
>         INNER JOIN ExamLanguage
>                 ON DeliveryEvent.ExamLanguageID = ExamLanguage.ID)
>         INNER JOIN ExamSeriesON ExamLanguage.ExamSeriesID = ExamSeries.ID)
> INNER JOIN Clients
> ON ExamSeries.Client_ID = Clients.Client_ID)
> LEFT JOIN ExamVersion
> ON DeliveryEvent.RegisteredExamVersionID = ExamVersion.ID)
> WHERE
> (DeliveryEvent.RegistrationID = 5)
Reply | Threaded
Open this post in threaded view
|

Re: AccessControlException with no security manager

Besosa, Michael
Thinking about it a bit more, I wonder if you missed that this is using the embedded engine, not the network server. I know that the network server installs a security manager by default, and that there is a system property that can be set to disable that behavior. But that's not applicable in our situation.

On Mon, Jun 3, 2019 at 8:52 AM Besosa, Michael <[hidden email]> wrote:
I don't understand what you mean when you say, "Even if you don't install a Java security manager...you get a security manager anyway." I don't have (haven't installed) a security manager and System.getSecurityManager() returns null. And if I "really, really" don't want a security manager, how can I say so, other than executing System.setSecurityManager(null)?

On Fri, May 31, 2019 at 9:03 PM Bryan Pendleton <[hidden email]> wrote:
I feel like you're probably hitting DERBY-6648:
https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_DERBY-2D6648&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=Hutrm_MTSwNDtab2E2bMNCxLo0eDRIZrB1B5x2AL-1k&e=

Even if you don't install a Java security manager (perhaps especially
if that is so), you get a security manager anyway.

If you really, really don't want a security manager, you can say so.

Or, bite the bullet and define a security manager, and start
assembling the precise security policy that is right for your
particular situation, as in:
https://urldefense.proofpoint.com/v2/url?u=https-3A__stackoverflow.com_a_52392015_193453&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=uackNzNN36boV8-m6DGN7VJOPwN4tnfuUwgQBgOmv0I&e=  ,
https://urldefense.proofpoint.com/v2/url?u=https-3A__db.apache.org_derby_docs_10.13_security_csecembeddedperms.html&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=53JhmaGEsK92jA_W0ofwQrvGLuaZ-TLXOiDawh9P3rQ&e=
, etc.

bryan

On Fri, May 31, 2019 at 11:58 AM Besosa, Michael
<[hidden email]> wrote:
>
> We have an application that is using the Derby 10.12.1.1 embedded engine and Java 8. When the app executes the SELECT shown below, we see an exception with the message 'access denied org.apache.derby.security.SystemPermission( "engine", "usederbyinternals" ): java.security.AccessControlException'.
>
> This application does not install a SecurityManager. I'm at a bit of a loss about how to fix this.
>
> The query:
>
> SELECT
>         DeliveryEvent.AppointmentStart,
>         DeliveryEvent.Attempt,
>         DeliveryEvent.BiometricCheckTypeCode,
>         DeliveryEvent.CandidateID,
>         DeliveryEvent.DeliveryStatus,
>         DeliveryEvent.ExamLanguageID,
>         DeliveryEvent.HasNoTestListBlock,
>         DeliveryEvent.IsDisconnectedIBTDelivery,
>         DeliveryEvent.NextAppointmentID,
>         DeliveryEvent.ProcessStateCode,
>         DeliveryEvent.ProctorID,
>         DeliveryEvent.RegisteredExamVersionID,
>         DeliveryEvent.RegistrationID,
>         DeliveryEvent.SelectedFormID,
>         DeliveryEvent.SelectedExamVersionID,
>         DeliveryEvent.TerminationDate,
>         DeliveryEvent.TimeLimit,
>         DeliveryEvent.TimeLimitAdjust,
>         Clients.Client_ID AS ClientID,
>         Clients.ClientName AS ClientName,
>         ExamSeries.Code AS ExamSeriesCode,
>         ExamVersion.DriverID AS DriverID,
>         ExamLanguage.Title AS TranslatedTitle,
>         (SELECT AppUser.FirstName || ' ' || AppUser.LastName FROM ((((((AssetAppUser INNER JOIN AppUser ON AssetAppUser.AppUserID = AppUser.ID) INNER JOIN AssetUsage ON AssetAppUser.AssetID = AssetUsage.AssetID) INNER JOIN Asset ON AssetUsage.AssetID = Asset.ID) INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Examiner') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) FETCH FIRST 1 ROWS ONLY) AS ExaminerName,
>         (SELECT Asset.Name FROM ((((Asset INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetUsage ON Asset.ID = AssetUsage.AssetID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Vehicle') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) AND (AssetType.AssetClassCode IN ('Facility','Workstation','CiscoRack','TaskSchedule')) FETCH FIRST 1 ROWS ONLY) AS VehicleName,
>         (SELECT COUNT(*) FROM (Accommodation INNER JOIN AccommodationStatus ON Accommodation.AccommodationStatusID = AccommodationStatus.AccommodationStatusID AND AccommodationStatus.StatusCode = 'Granted') WHERE (Accommodation.OrderItemID = DeliveryEvent.RegistrationID)) AS AccommodationCount,
>         (SELECT COUNT(*) FROM DeliveryBlockedReason WHERE (DeliveryBlockedReason.DeliveryEventID = DeliveryEvent.RegistrationID)) AS ReasonsBlockedCount,
>         (SELECT DeliveryEventNext.RegistrationID FROM DeliveryEvent AS DeliveryEventNext WHERE (DeliveryEvent.RegistrationID = DeliveryEventNext.NextAppointmentID)) AS FirstDayRegistrationID
> FROM ((((
>         DeliveryEvent
>         INNER JOIN ExamLanguage
>                 ON DeliveryEvent.ExamLanguageID = ExamLanguage.ID)
>         INNER JOIN ExamSeriesON ExamLanguage.ExamSeriesID = ExamSeries.ID)
> INNER JOIN Clients
> ON ExamSeries.Client_ID = Clients.Client_ID)
> LEFT JOIN ExamVersion
> ON DeliveryEvent.RegisteredExamVersionID = ExamVersion.ID)
> WHERE
> (DeliveryEvent.RegistrationID = 5)
Reply | Threaded
Open this post in threaded view
|

Re: AccessControlException with no security manager

Bryan Pendleton-3
Ah, good point.

Yes, I missed that, and yes I was thinking about the network server.

Sorry about that.

bryan

On Mon, Jun 3, 2019 at 8:37 AM Besosa, Michael
<[hidden email]> wrote:

>
> Thinking about it a bit more, I wonder if you missed that this is using the embedded engine, not the network server. I know that the network server installs a security manager by default, and that there is a system property that can be set to disable that behavior. But that's not applicable in our situation.
>
> On Mon, Jun 3, 2019 at 8:52 AM Besosa, Michael <[hidden email]> wrote:
>>
>> I don't understand what you mean when you say, "Even if you don't install a Java security manager...you get a security manager anyway." I don't have (haven't installed) a security manager and System.getSecurityManager() returns null. And if I "really, really" don't want a security manager, how can I say so, other than executing System.setSecurityManager(null)?
>>
>> On Fri, May 31, 2019 at 9:03 PM Bryan Pendleton <[hidden email]> wrote:
>>>
>>> I feel like you're probably hitting DERBY-6648:
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_DERBY-2D6648&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=Hutrm_MTSwNDtab2E2bMNCxLo0eDRIZrB1B5x2AL-1k&e=
>>>
>>> Even if you don't install a Java security manager (perhaps especially
>>> if that is so), you get a security manager anyway.
>>>
>>> If you really, really don't want a security manager, you can say so.
>>>
>>> Or, bite the bullet and define a security manager, and start
>>> assembling the precise security policy that is right for your
>>> particular situation, as in:
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__stackoverflow.com_a_52392015_193453&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=uackNzNN36boV8-m6DGN7VJOPwN4tnfuUwgQBgOmv0I&e=  ,
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__db.apache.org_derby_docs_10.13_security_csecembeddedperms.html&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=53JhmaGEsK92jA_W0ofwQrvGLuaZ-TLXOiDawh9P3rQ&e=
>>> , etc.
>>>
>>> bryan
>>>
>>> On Fri, May 31, 2019 at 11:58 AM Besosa, Michael
>>> <[hidden email]> wrote:
>>> >
>>> > We have an application that is using the Derby 10.12.1.1 embedded engine and Java 8. When the app executes the SELECT shown below, we see an exception with the message 'access denied org.apache.derby.security.SystemPermission( "engine", "usederbyinternals" ): java.security.AccessControlException'.
>>> >
>>> > This application does not install a SecurityManager. I'm at a bit of a loss about how to fix this.
>>> >
>>> > The query:
>>> >
>>> > SELECT
>>> >         DeliveryEvent.AppointmentStart,
>>> >         DeliveryEvent.Attempt,
>>> >         DeliveryEvent.BiometricCheckTypeCode,
>>> >         DeliveryEvent.CandidateID,
>>> >         DeliveryEvent.DeliveryStatus,
>>> >         DeliveryEvent.ExamLanguageID,
>>> >         DeliveryEvent.HasNoTestListBlock,
>>> >         DeliveryEvent.IsDisconnectedIBTDelivery,
>>> >         DeliveryEvent.NextAppointmentID,
>>> >         DeliveryEvent.ProcessStateCode,
>>> >         DeliveryEvent.ProctorID,
>>> >         DeliveryEvent.RegisteredExamVersionID,
>>> >         DeliveryEvent.RegistrationID,
>>> >         DeliveryEvent.SelectedFormID,
>>> >         DeliveryEvent.SelectedExamVersionID,
>>> >         DeliveryEvent.TerminationDate,
>>> >         DeliveryEvent.TimeLimit,
>>> >         DeliveryEvent.TimeLimitAdjust,
>>> >         Clients.Client_ID AS ClientID,
>>> >         Clients.ClientName AS ClientName,
>>> >         ExamSeries.Code AS ExamSeriesCode,
>>> >         ExamVersion.DriverID AS DriverID,
>>> >         ExamLanguage.Title AS TranslatedTitle,
>>> >         (SELECT AppUser.FirstName || ' ' || AppUser.LastName FROM ((((((AssetAppUser INNER JOIN AppUser ON AssetAppUser.AppUserID = AppUser.ID) INNER JOIN AssetUsage ON AssetAppUser.AssetID = AssetUsage.AssetID) INNER JOIN Asset ON AssetUsage.AssetID = Asset.ID) INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Examiner') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) FETCH FIRST 1 ROWS ONLY) AS ExaminerName,
>>> >         (SELECT Asset.Name FROM ((((Asset INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetUsage ON Asset.ID = AssetUsage.AssetID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Vehicle') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) AND (AssetType.AssetClassCode IN ('Facility','Workstation','CiscoRack','TaskSchedule')) FETCH FIRST 1 ROWS ONLY) AS VehicleName,
>>> >         (SELECT COUNT(*) FROM (Accommodation INNER JOIN AccommodationStatus ON Accommodation.AccommodationStatusID = AccommodationStatus.AccommodationStatusID AND AccommodationStatus.StatusCode = 'Granted') WHERE (Accommodation.OrderItemID = DeliveryEvent.RegistrationID)) AS AccommodationCount,
>>> >         (SELECT COUNT(*) FROM DeliveryBlockedReason WHERE (DeliveryBlockedReason.DeliveryEventID = DeliveryEvent.RegistrationID)) AS ReasonsBlockedCount,
>>> >         (SELECT DeliveryEventNext.RegistrationID FROM DeliveryEvent AS DeliveryEventNext WHERE (DeliveryEvent.RegistrationID = DeliveryEventNext.NextAppointmentID)) AS FirstDayRegistrationID
>>> > FROM ((((
>>> >         DeliveryEvent
>>> >         INNER JOIN ExamLanguage
>>> >                 ON DeliveryEvent.ExamLanguageID = ExamLanguage.ID)
>>> >         INNER JOIN ExamSeriesON ExamLanguage.ExamSeriesID = ExamSeries.ID)
>>> > INNER JOIN Clients
>>> > ON ExamSeries.Client_ID = Clients.Client_ID)
>>> > LEFT JOIN ExamVersion
>>> > ON DeliveryEvent.RegisteredExamVersionID = ExamVersion.ID)
>>> > WHERE
>>> > (DeliveryEvent.RegistrationID = 5)
Reply | Threaded
Open this post in threaded view
|

Re: AccessControlException with no security manager

Besosa, Michael
We're still interested in ideas about this problem. We are getting occasional AccessControlExceptions in an environment with no SecurityManager installed. This behavior appears to have started when we migrated our application to Java 8. It was never seen prior to that. If there is additional information that would be useful, please let me know.

On Mon, Jun 3, 2019 at 8:17 PM Bryan Pendleton <[hidden email]> wrote:
Ah, good point.

Yes, I missed that, and yes I was thinking about the network server.

Sorry about that.

bryan

On Mon, Jun 3, 2019 at 8:37 AM Besosa, Michael
<[hidden email]> wrote:
>
> Thinking about it a bit more, I wonder if you missed that this is using the embedded engine, not the network server. I know that the network server installs a security manager by default, and that there is a system property that can be set to disable that behavior. But that's not applicable in our situation.
>
> On Mon, Jun 3, 2019 at 8:52 AM Besosa, Michael <[hidden email]> wrote:
>>
>> I don't understand what you mean when you say, "Even if you don't install a Java security manager...you get a security manager anyway." I don't have (haven't installed) a security manager and System.getSecurityManager() returns null. And if I "really, really" don't want a security manager, how can I say so, other than executing System.setSecurityManager(null)?
>>
>> On Fri, May 31, 2019 at 9:03 PM Bryan Pendleton <[hidden email]> wrote:
>>>
>>> I feel like you're probably hitting DERBY-6648:
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_DERBY-2D6648&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=Hutrm_MTSwNDtab2E2bMNCxLo0eDRIZrB1B5x2AL-1k&e=
>>>
>>> Even if you don't install a Java security manager (perhaps especially
>>> if that is so), you get a security manager anyway.
>>>
>>> If you really, really don't want a security manager, you can say so.
>>>
>>> Or, bite the bullet and define a security manager, and start
>>> assembling the precise security policy that is right for your
>>> particular situation, as in:
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__stackoverflow.com_a_52392015_193453&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=uackNzNN36boV8-m6DGN7VJOPwN4tnfuUwgQBgOmv0I&e=  ,
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__db.apache.org_derby_docs_10.13_security_csecembeddedperms.html&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=53JhmaGEsK92jA_W0ofwQrvGLuaZ-TLXOiDawh9P3rQ&e=
>>> , etc.
>>>
>>> bryan
>>>
>>> On Fri, May 31, 2019 at 11:58 AM Besosa, Michael
>>> <[hidden email]> wrote:
>>> >
>>> > We have an application that is using the Derby 10.12.1.1 embedded engine and Java 8. When the app executes the SELECT shown below, we see an exception with the message 'access denied org.apache.derby.security.SystemPermission( "engine", "usederbyinternals" ): java.security.AccessControlException'.
>>> >
>>> > This application does not install a SecurityManager. I'm at a bit of a loss about how to fix this.
>>> >
>>> > The query:
>>> >
>>> > SELECT
>>> >         DeliveryEvent.AppointmentStart,
>>> >         DeliveryEvent.Attempt,
>>> >         DeliveryEvent.BiometricCheckTypeCode,
>>> >         DeliveryEvent.CandidateID,
>>> >         DeliveryEvent.DeliveryStatus,
>>> >         DeliveryEvent.ExamLanguageID,
>>> >         DeliveryEvent.HasNoTestListBlock,
>>> >         DeliveryEvent.IsDisconnectedIBTDelivery,
>>> >         DeliveryEvent.NextAppointmentID,
>>> >         DeliveryEvent.ProcessStateCode,
>>> >         DeliveryEvent.ProctorID,
>>> >         DeliveryEvent.RegisteredExamVersionID,
>>> >         DeliveryEvent.RegistrationID,
>>> >         DeliveryEvent.SelectedFormID,
>>> >         DeliveryEvent.SelectedExamVersionID,
>>> >         DeliveryEvent.TerminationDate,
>>> >         DeliveryEvent.TimeLimit,
>>> >         DeliveryEvent.TimeLimitAdjust,
>>> >         Clients.Client_ID AS ClientID,
>>> >         Clients.ClientName AS ClientName,
>>> >         ExamSeries.Code AS ExamSeriesCode,
>>> >         ExamVersion.DriverID AS DriverID,
>>> >         ExamLanguage.Title AS TranslatedTitle,
>>> >         (SELECT AppUser.FirstName || ' ' || AppUser.LastName FROM ((((((AssetAppUser INNER JOIN AppUser ON AssetAppUser.AppUserID = AppUser.ID) INNER JOIN AssetUsage ON AssetAppUser.AssetID = AssetUsage.AssetID) INNER JOIN Asset ON AssetUsage.AssetID = Asset.ID) INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Examiner') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) FETCH FIRST 1 ROWS ONLY) AS ExaminerName,
>>> >         (SELECT Asset.Name FROM ((((Asset INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetUsage ON Asset.ID = AssetUsage.AssetID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Vehicle') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) AND (AssetType.AssetClassCode IN ('Facility','Workstation','CiscoRack','TaskSchedule')) FETCH FIRST 1 ROWS ONLY) AS VehicleName,
>>> >         (SELECT COUNT(*) FROM (Accommodation INNER JOIN AccommodationStatus ON Accommodation.AccommodationStatusID = AccommodationStatus.AccommodationStatusID AND AccommodationStatus.StatusCode = 'Granted') WHERE (Accommodation.OrderItemID = DeliveryEvent.RegistrationID)) AS AccommodationCount,
>>> >         (SELECT COUNT(*) FROM DeliveryBlockedReason WHERE (DeliveryBlockedReason.DeliveryEventID = DeliveryEvent.RegistrationID)) AS ReasonsBlockedCount,
>>> >         (SELECT DeliveryEventNext.RegistrationID FROM DeliveryEvent AS DeliveryEventNext WHERE (DeliveryEvent.RegistrationID = DeliveryEventNext.NextAppointmentID)) AS FirstDayRegistrationID
>>> > FROM ((((
>>> >         DeliveryEvent
>>> >         INNER JOIN ExamLanguage
>>> >                 ON DeliveryEvent.ExamLanguageID = ExamLanguage.ID)
>>> >         INNER JOIN ExamSeriesON ExamLanguage.ExamSeriesID = ExamSeries.ID)
>>> > INNER JOIN Clients
>>> > ON ExamSeries.Client_ID = Clients.Client_ID)
>>> > LEFT JOIN ExamVersion
>>> > ON DeliveryEvent.RegisteredExamVersionID = ExamVersion.ID)
>>> > WHERE
>>> > (DeliveryEvent.RegistrationID = 5)
Reply | Threaded
Open this post in threaded view
|

Re: AccessControlException with no security manager

Bryan Pendleton-3
Probably best to open an issue in the Derby JIRA, to help keep the
conversation easy to find and track.

Can you share the complete stack trace of the AccessControlException?

Can you share a run of 'sysinfo' in a configuration where this occurs?

I don't suppose you've been able to whittle this down to a Minimum
Reproducible Case yet, have you?

thanks,

bryan

On Thu, Jun 6, 2019 at 6:22 AM Besosa, Michael
<[hidden email]> wrote:

>
> We're still interested in ideas about this problem. We are getting occasional AccessControlExceptions in an environment with no SecurityManager installed. This behavior appears to have started when we migrated our application to Java 8. It was never seen prior to that. If there is additional information that would be useful, please let me know.
>
> On Mon, Jun 3, 2019 at 8:17 PM Bryan Pendleton <[hidden email]> wrote:
>>
>> Ah, good point.
>>
>> Yes, I missed that, and yes I was thinking about the network server.
>>
>> Sorry about that.
>>
>> bryan
>>
>> On Mon, Jun 3, 2019 at 8:37 AM Besosa, Michael
>> <[hidden email]> wrote:
>> >
>> > Thinking about it a bit more, I wonder if you missed that this is using the embedded engine, not the network server. I know that the network server installs a security manager by default, and that there is a system property that can be set to disable that behavior. But that's not applicable in our situation.
>> >
>> > On Mon, Jun 3, 2019 at 8:52 AM Besosa, Michael <[hidden email]> wrote:
>> >>
>> >> I don't understand what you mean when you say, "Even if you don't install a Java security manager...you get a security manager anyway." I don't have (haven't installed) a security manager and System.getSecurityManager() returns null. And if I "really, really" don't want a security manager, how can I say so, other than executing System.setSecurityManager(null)?
>> >>
>> >> On Fri, May 31, 2019 at 9:03 PM Bryan Pendleton <[hidden email]> wrote:
>> >>>
>> >>> I feel like you're probably hitting DERBY-6648:
>> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_DERBY-2D6648&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=Hutrm_MTSwNDtab2E2bMNCxLo0eDRIZrB1B5x2AL-1k&e=
>> >>>
>> >>> Even if you don't install a Java security manager (perhaps especially
>> >>> if that is so), you get a security manager anyway.
>> >>>
>> >>> If you really, really don't want a security manager, you can say so.
>> >>>
>> >>> Or, bite the bullet and define a security manager, and start
>> >>> assembling the precise security policy that is right for your
>> >>> particular situation, as in:
>> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__stackoverflow.com_a_52392015_193453&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=uackNzNN36boV8-m6DGN7VJOPwN4tnfuUwgQBgOmv0I&e=  ,
>> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__db.apache.org_derby_docs_10.13_security_csecembeddedperms.html&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=53JhmaGEsK92jA_W0ofwQrvGLuaZ-TLXOiDawh9P3rQ&e=
>> >>> , etc.
>> >>>
>> >>> bryan
>> >>>
>> >>> On Fri, May 31, 2019 at 11:58 AM Besosa, Michael
>> >>> <[hidden email]> wrote:
>> >>> >
>> >>> > We have an application that is using the Derby 10.12.1.1 embedded engine and Java 8. When the app executes the SELECT shown below, we see an exception with the message 'access denied org.apache.derby.security.SystemPermission( "engine", "usederbyinternals" ): java.security.AccessControlException'.
>> >>> >
>> >>> > This application does not install a SecurityManager. I'm at a bit of a loss about how to fix this.
>> >>> >
>> >>> > The query:
>> >>> >
>> >>> > SELECT
>> >>> >         DeliveryEvent.AppointmentStart,
>> >>> >         DeliveryEvent.Attempt,
>> >>> >         DeliveryEvent.BiometricCheckTypeCode,
>> >>> >         DeliveryEvent.CandidateID,
>> >>> >         DeliveryEvent.DeliveryStatus,
>> >>> >         DeliveryEvent.ExamLanguageID,
>> >>> >         DeliveryEvent.HasNoTestListBlock,
>> >>> >         DeliveryEvent.IsDisconnectedIBTDelivery,
>> >>> >         DeliveryEvent.NextAppointmentID,
>> >>> >         DeliveryEvent.ProcessStateCode,
>> >>> >         DeliveryEvent.ProctorID,
>> >>> >         DeliveryEvent.RegisteredExamVersionID,
>> >>> >         DeliveryEvent.RegistrationID,
>> >>> >         DeliveryEvent.SelectedFormID,
>> >>> >         DeliveryEvent.SelectedExamVersionID,
>> >>> >         DeliveryEvent.TerminationDate,
>> >>> >         DeliveryEvent.TimeLimit,
>> >>> >         DeliveryEvent.TimeLimitAdjust,
>> >>> >         Clients.Client_ID AS ClientID,
>> >>> >         Clients.ClientName AS ClientName,
>> >>> >         ExamSeries.Code AS ExamSeriesCode,
>> >>> >         ExamVersion.DriverID AS DriverID,
>> >>> >         ExamLanguage.Title AS TranslatedTitle,
>> >>> >         (SELECT AppUser.FirstName || ' ' || AppUser.LastName FROM ((((((AssetAppUser INNER JOIN AppUser ON AssetAppUser.AppUserID = AppUser.ID) INNER JOIN AssetUsage ON AssetAppUser.AssetID = AssetUsage.AssetID) INNER JOIN Asset ON AssetUsage.AssetID = Asset.ID) INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Examiner') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) FETCH FIRST 1 ROWS ONLY) AS ExaminerName,
>> >>> >         (SELECT Asset.Name FROM ((((Asset INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetUsage ON Asset.ID = AssetUsage.AssetID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Vehicle') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) AND (AssetType.AssetClassCode IN ('Facility','Workstation','CiscoRack','TaskSchedule')) FETCH FIRST 1 ROWS ONLY) AS VehicleName,
>> >>> >         (SELECT COUNT(*) FROM (Accommodation INNER JOIN AccommodationStatus ON Accommodation.AccommodationStatusID = AccommodationStatus.AccommodationStatusID AND AccommodationStatus.StatusCode = 'Granted') WHERE (Accommodation.OrderItemID = DeliveryEvent.RegistrationID)) AS AccommodationCount,
>> >>> >         (SELECT COUNT(*) FROM DeliveryBlockedReason WHERE (DeliveryBlockedReason.DeliveryEventID = DeliveryEvent.RegistrationID)) AS ReasonsBlockedCount,
>> >>> >         (SELECT DeliveryEventNext.RegistrationID FROM DeliveryEvent AS DeliveryEventNext WHERE (DeliveryEvent.RegistrationID = DeliveryEventNext.NextAppointmentID)) AS FirstDayRegistrationID
>> >>> > FROM ((((
>> >>> >         DeliveryEvent
>> >>> >         INNER JOIN ExamLanguage
>> >>> >                 ON DeliveryEvent.ExamLanguageID = ExamLanguage.ID)
>> >>> >         INNER JOIN ExamSeriesON ExamLanguage.ExamSeriesID = ExamSeries.ID)
>> >>> > INNER JOIN Clients
>> >>> > ON ExamSeries.Client_ID = Clients.Client_ID)
>> >>> > LEFT JOIN ExamVersion
>> >>> > ON DeliveryEvent.RegisteredExamVersionID = ExamVersion.ID)
>> >>> > WHERE
>> >>> > (DeliveryEvent.RegistrationID = 5)
Reply | Threaded
Open this post in threaded view
|

Re: AccessControlException with no security manager

Besosa, Michael
I'll open an issue, as you suggest, with the information you requested. And no, I can't provide a minimum reproducible case yet. A problem with doing so is that the behavior appears to be sporadic. I haven't found a way to reproduce it reliably yet.

On Thu, Jun 6, 2019 at 8:15 PM Bryan Pendleton <[hidden email]> wrote:
Probably best to open an issue in the Derby JIRA, to help keep the
conversation easy to find and track.

Can you share the complete stack trace of the AccessControlException?

Can you share a run of 'sysinfo' in a configuration where this occurs?

I don't suppose you've been able to whittle this down to a Minimum
Reproducible Case yet, have you?

thanks,

bryan

On Thu, Jun 6, 2019 at 6:22 AM Besosa, Michael
<[hidden email]> wrote:
>
> We're still interested in ideas about this problem. We are getting occasional AccessControlExceptions in an environment with no SecurityManager installed. This behavior appears to have started when we migrated our application to Java 8. It was never seen prior to that. If there is additional information that would be useful, please let me know.
>
> On Mon, Jun 3, 2019 at 8:17 PM Bryan Pendleton <[hidden email]> wrote:
>>
>> Ah, good point.
>>
>> Yes, I missed that, and yes I was thinking about the network server.
>>
>> Sorry about that.
>>
>> bryan
>>
>> On Mon, Jun 3, 2019 at 8:37 AM Besosa, Michael
>> <[hidden email]> wrote:
>> >
>> > Thinking about it a bit more, I wonder if you missed that this is using the embedded engine, not the network server. I know that the network server installs a security manager by default, and that there is a system property that can be set to disable that behavior. But that's not applicable in our situation.
>> >
>> > On Mon, Jun 3, 2019 at 8:52 AM Besosa, Michael <[hidden email]> wrote:
>> >>
>> >> I don't understand what you mean when you say, "Even if you don't install a Java security manager...you get a security manager anyway." I don't have (haven't installed) a security manager and System.getSecurityManager() returns null. And if I "really, really" don't want a security manager, how can I say so, other than executing System.setSecurityManager(null)?
>> >>
>> >> On Fri, May 31, 2019 at 9:03 PM Bryan Pendleton <[hidden email]> wrote:
>> >>>
>> >>> I feel like you're probably hitting DERBY-6648:
>> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_DERBY-2D6648&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=Hutrm_MTSwNDtab2E2bMNCxLo0eDRIZrB1B5x2AL-1k&e=
>> >>>
>> >>> Even if you don't install a Java security manager (perhaps especially
>> >>> if that is so), you get a security manager anyway.
>> >>>
>> >>> If you really, really don't want a security manager, you can say so.
>> >>>
>> >>> Or, bite the bullet and define a security manager, and start
>> >>> assembling the precise security policy that is right for your
>> >>> particular situation, as in:
>> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__stackoverflow.com_a_52392015_193453&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=uackNzNN36boV8-m6DGN7VJOPwN4tnfuUwgQBgOmv0I&e=  ,
>> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__db.apache.org_derby_docs_10.13_security_csecembeddedperms.html&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=53JhmaGEsK92jA_W0ofwQrvGLuaZ-TLXOiDawh9P3rQ&e=
>> >>> , etc.
>> >>>
>> >>> bryan
>> >>>
>> >>> On Fri, May 31, 2019 at 11:58 AM Besosa, Michael
>> >>> <[hidden email]> wrote:
>> >>> >
>> >>> > We have an application that is using the Derby 10.12.1.1 embedded engine and Java 8. When the app executes the SELECT shown below, we see an exception with the message 'access denied org.apache.derby.security.SystemPermission( "engine", "usederbyinternals" ): java.security.AccessControlException'.
>> >>> >
>> >>> > This application does not install a SecurityManager. I'm at a bit of a loss about how to fix this.
>> >>> >
>> >>> > The query:
>> >>> >
>> >>> > SELECT
>> >>> >         DeliveryEvent.AppointmentStart,
>> >>> >         DeliveryEvent.Attempt,
>> >>> >         DeliveryEvent.BiometricCheckTypeCode,
>> >>> >         DeliveryEvent.CandidateID,
>> >>> >         DeliveryEvent.DeliveryStatus,
>> >>> >         DeliveryEvent.ExamLanguageID,
>> >>> >         DeliveryEvent.HasNoTestListBlock,
>> >>> >         DeliveryEvent.IsDisconnectedIBTDelivery,
>> >>> >         DeliveryEvent.NextAppointmentID,
>> >>> >         DeliveryEvent.ProcessStateCode,
>> >>> >         DeliveryEvent.ProctorID,
>> >>> >         DeliveryEvent.RegisteredExamVersionID,
>> >>> >         DeliveryEvent.RegistrationID,
>> >>> >         DeliveryEvent.SelectedFormID,
>> >>> >         DeliveryEvent.SelectedExamVersionID,
>> >>> >         DeliveryEvent.TerminationDate,
>> >>> >         DeliveryEvent.TimeLimit,
>> >>> >         DeliveryEvent.TimeLimitAdjust,
>> >>> >         Clients.Client_ID AS ClientID,
>> >>> >         Clients.ClientName AS ClientName,
>> >>> >         ExamSeries.Code AS ExamSeriesCode,
>> >>> >         ExamVersion.DriverID AS DriverID,
>> >>> >         ExamLanguage.Title AS TranslatedTitle,
>> >>> >         (SELECT AppUser.FirstName || ' ' || AppUser.LastName FROM ((((((AssetAppUser INNER JOIN AppUser ON AssetAppUser.AppUserID = AppUser.ID) INNER JOIN AssetUsage ON AssetAppUser.AssetID = AssetUsage.AssetID) INNER JOIN Asset ON AssetUsage.AssetID = Asset.ID) INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Examiner') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) FETCH FIRST 1 ROWS ONLY) AS ExaminerName,
>> >>> >         (SELECT Asset.Name FROM ((((Asset INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetUsage ON Asset.ID = AssetUsage.AssetID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Vehicle') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) AND (AssetType.AssetClassCode IN ('Facility','Workstation','CiscoRack','TaskSchedule')) FETCH FIRST 1 ROWS ONLY) AS VehicleName,
>> >>> >         (SELECT COUNT(*) FROM (Accommodation INNER JOIN AccommodationStatus ON Accommodation.AccommodationStatusID = AccommodationStatus.AccommodationStatusID AND AccommodationStatus.StatusCode = 'Granted') WHERE (Accommodation.OrderItemID = DeliveryEvent.RegistrationID)) AS AccommodationCount,
>> >>> >         (SELECT COUNT(*) FROM DeliveryBlockedReason WHERE (DeliveryBlockedReason.DeliveryEventID = DeliveryEvent.RegistrationID)) AS ReasonsBlockedCount,
>> >>> >         (SELECT DeliveryEventNext.RegistrationID FROM DeliveryEvent AS DeliveryEventNext WHERE (DeliveryEvent.RegistrationID = DeliveryEventNext.NextAppointmentID)) AS FirstDayRegistrationID
>> >>> > FROM ((((
>> >>> >         DeliveryEvent
>> >>> >         INNER JOIN ExamLanguage
>> >>> >                 ON DeliveryEvent.ExamLanguageID = ExamLanguage.ID)
>> >>> >         INNER JOIN ExamSeriesON ExamLanguage.ExamSeriesID = ExamSeries.ID)
>> >>> > INNER JOIN Clients
>> >>> > ON ExamSeries.Client_ID = Clients.Client_ID)
>> >>> > LEFT JOIN ExamVersion
>> >>> > ON DeliveryEvent.RegisteredExamVersionID = ExamVersion.ID)
>> >>> > WHERE
>> >>> > (DeliveryEvent.RegistrationID = 5)
Reply | Threaded
Open this post in threaded view
|

Re: AccessControlException with no security manager

Rick Hillegas-3
The check for the usederbyinternals permission is done by SecurityUtil.checkDerbyInternalsPrivilege(). That is the only place we check for that permission. The code itself is guarded by a check for whether a SecurityManager has been installed. That is, the check is ONLY performed when a SecurityManager is installed.

I don't know what to make of the observation that this problem started after upgrading to Java 8. But that might be a useful clue.

On 6/7/19 5:42 AM, Besosa, Michael wrote:
I'll open an issue, as you suggest, with the information you requested. And no, I can't provide a minimum reproducible case yet. A problem with doing so is that the behavior appears to be sporadic. I haven't found a way to reproduce it reliably yet.

On Thu, Jun 6, 2019 at 8:15 PM Bryan Pendleton <[hidden email]> wrote:
Probably best to open an issue in the Derby JIRA, to help keep the
conversation easy to find and track.

Can you share the complete stack trace of the AccessControlException?

Can you share a run of 'sysinfo' in a configuration where this occurs?

I don't suppose you've been able to whittle this down to a Minimum
Reproducible Case yet, have you?

thanks,

bryan

On Thu, Jun 6, 2019 at 6:22 AM Besosa, Michael
<[hidden email]> wrote:
>
> We're still interested in ideas about this problem. We are getting occasional AccessControlExceptions in an environment with no SecurityManager installed. This behavior appears to have started when we migrated our application to Java 8. It was never seen prior to that. If there is additional information that would be useful, please let me know.
>
> On Mon, Jun 3, 2019 at 8:17 PM Bryan Pendleton <[hidden email]> wrote:
>>
>> Ah, good point.
>>
>> Yes, I missed that, and yes I was thinking about the network server.
>>
>> Sorry about that.
>>
>> bryan
>>
>> On Mon, Jun 3, 2019 at 8:37 AM Besosa, Michael
>> <[hidden email]> wrote:
>> >
>> > Thinking about it a bit more, I wonder if you missed that this is using the embedded engine, not the network server. I know that the network server installs a security manager by default, and that there is a system property that can be set to disable that behavior. But that's not applicable in our situation.
>> >
>> > On Mon, Jun 3, 2019 at 8:52 AM Besosa, Michael <[hidden email]> wrote:
>> >>
>> >> I don't understand what you mean when you say, "Even if you don't install a Java security manager...you get a security manager anyway." I don't have (haven't installed) a security manager and System.getSecurityManager() returns null. And if I "really, really" don't want a security manager, how can I say so, other than executing System.setSecurityManager(null)?
>> >>
>> >> On Fri, May 31, 2019 at 9:03 PM Bryan Pendleton <[hidden email]> wrote:
>> >>>
>> >>> I feel like you're probably hitting DERBY-6648:
>> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_DERBY-2D6648&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=Hutrm_MTSwNDtab2E2bMNCxLo0eDRIZrB1B5x2AL-1k&e=
>> >>>
>> >>> Even if you don't install a Java security manager (perhaps especially
>> >>> if that is so), you get a security manager anyway.
>> >>>
>> >>> If you really, really don't want a security manager, you can say so.
>> >>>
>> >>> Or, bite the bullet and define a security manager, and start
>> >>> assembling the precise security policy that is right for your
>> >>> particular situation, as in:
>> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__stackoverflow.com_a_52392015_193453&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=uackNzNN36boV8-m6DGN7VJOPwN4tnfuUwgQBgOmv0I&e=  ,
>> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__db.apache.org_derby_docs_10.13_security_csecembeddedperms.html&d=DwIFaQ&c=0YLnzTkWOdJlub_y7qAx8Q&r=Wl0HX9k4fXSgP8TsHwfE2EzboRhWUZIw3D92MjZ0k8A&m=jAZ8M-UCTv0Ms-FrB1NaYA62mIGrbUhHirW9AxhEyxw&s=53JhmaGEsK92jA_W0ofwQrvGLuaZ-TLXOiDawh9P3rQ&e=
>> >>> , etc.
>> >>>
>> >>> bryan
>> >>>
>> >>> On Fri, May 31, 2019 at 11:58 AM Besosa, Michael
>> >>> <[hidden email]> wrote:
>> >>> >
>> >>> > We have an application that is using the Derby 10.12.1.1 embedded engine and Java 8. When the app executes the SELECT shown below, we see an exception with the message 'access denied org.apache.derby.security.SystemPermission( "engine", "usederbyinternals" ): java.security.AccessControlException'.
>> >>> >
>> >>> > This application does not install a SecurityManager. I'm at a bit of a loss about how to fix this.
>> >>> >
>> >>> > The query:
>> >>> >
>> >>> > SELECT
>> >>> >         DeliveryEvent.AppointmentStart,
>> >>> >         DeliveryEvent.Attempt,
>> >>> >         DeliveryEvent.BiometricCheckTypeCode,
>> >>> >         DeliveryEvent.CandidateID,
>> >>> >         DeliveryEvent.DeliveryStatus,
>> >>> >         DeliveryEvent.ExamLanguageID,
>> >>> >         DeliveryEvent.HasNoTestListBlock,
>> >>> >         DeliveryEvent.IsDisconnectedIBTDelivery,
>> >>> >         DeliveryEvent.NextAppointmentID,
>> >>> >         DeliveryEvent.ProcessStateCode,
>> >>> >         DeliveryEvent.ProctorID,
>> >>> >         DeliveryEvent.RegisteredExamVersionID,
>> >>> >         DeliveryEvent.RegistrationID,
>> >>> >         DeliveryEvent.SelectedFormID,
>> >>> >         DeliveryEvent.SelectedExamVersionID,
>> >>> >         DeliveryEvent.TerminationDate,
>> >>> >         DeliveryEvent.TimeLimit,
>> >>> >         DeliveryEvent.TimeLimitAdjust,
>> >>> >         Clients.Client_ID AS ClientID,
>> >>> >         Clients.ClientName AS ClientName,
>> >>> >         ExamSeries.Code AS ExamSeriesCode,
>> >>> >         ExamVersion.DriverID AS DriverID,
>> >>> >         ExamLanguage.Title AS TranslatedTitle,
>> >>> >         (SELECT AppUser.FirstName || ' ' || AppUser.LastName FROM ((((((AssetAppUser INNER JOIN AppUser ON AssetAppUser.AppUserID = AppUser.ID) INNER JOIN AssetUsage ON AssetAppUser.AssetID = AssetUsage.AssetID) INNER JOIN Asset ON AssetUsage.AssetID = Asset.ID) INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Examiner') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) FETCH FIRST 1 ROWS ONLY) AS ExaminerName,
>> >>> >         (SELECT Asset.Name FROM ((((Asset INNER JOIN AssetType ON Asset.AssetTypeID = AssetType.ID) INNER JOIN AssetUsage ON Asset.ID = AssetUsage.AssetID) INNER JOIN AssetTypeProperty ON AssetType.ID = AssetTypeProperty.AssetTypeID AND AssetTypeProperty.AssetTypePropertyValue = 'Vehicle') INNER JOIN AssetTypePropertyKey ON AssetTypeProperty.AssetTypePropertyKeyID = AssetTypePropertyKey.AssetTypePropertyKeyID AND AssetTypePropertyKey.AssetTypePropertyKeyName = 'AssetSubClass') WHERE (AssetUsage.OrderItemID = DeliveryEvent.RegistrationID) AND (AssetType.AssetClassCode IN ('Facility','Workstation','CiscoRack','TaskSchedule')) FETCH FIRST 1 ROWS ONLY) AS VehicleName,
>> >>> >         (SELECT COUNT(*) FROM (Accommodation INNER JOIN AccommodationStatus ON Accommodation.AccommodationStatusID = AccommodationStatus.AccommodationStatusID AND AccommodationStatus.StatusCode = 'Granted') WHERE (Accommodation.OrderItemID = DeliveryEvent.RegistrationID)) AS AccommodationCount,
>> >>> >         (SELECT COUNT(*) FROM DeliveryBlockedReason WHERE (DeliveryBlockedReason.DeliveryEventID = DeliveryEvent.RegistrationID)) AS ReasonsBlockedCount,
>> >>> >         (SELECT DeliveryEventNext.RegistrationID FROM DeliveryEvent AS DeliveryEventNext WHERE (DeliveryEvent.RegistrationID = DeliveryEventNext.NextAppointmentID)) AS FirstDayRegistrationID
>> >>> > FROM ((((
>> >>> >         DeliveryEvent
>> >>> >         INNER JOIN ExamLanguage
>> >>> >                 ON DeliveryEvent.ExamLanguageID = ExamLanguage.ID)
>> >>> >         INNER JOIN ExamSeriesON ExamLanguage.ExamSeriesID = ExamSeries.ID)
>> >>> > INNER JOIN Clients
>> >>> > ON ExamSeries.Client_ID = Clients.Client_ID)
>> >>> > LEFT JOIN ExamVersion
>> >>> > ON DeliveryEvent.RegisteredExamVersionID = ExamVersion.ID)
>> >>> > WHERE
>> >>> > (DeliveryEvent.RegistrationID = 5)