Quantcast

Network Server Access Permissions and Java 1.7.0_51

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Network Server Access Permissions and Java 1.7.0_51

John I. Moore, Jr.

Java version 1.7.0_51 (latest version) causes the following error when trying to start the network server.  I can see from the issue tracker that there is a fix to be added that should correct this problem in the next release, but is there an easy workaround that exists now?  Details would be appreciated.

 

_________________________________________

 

John I. Moore, Jr.

 

C:\Java\db-derby-10.10.1.1-bin\bin>startNetworkServer.bat

Thu Jan 16 16:34:04 EST 2014 : Security manager installed using the Basic server security policy.

Thu Jan 16 16:34:04 EST 2014 : access denied ("java.net.SocketPermission" "localhost:1527" "listen,resolve")

java.security.AccessControlException: access denied ("java.net.SocketPermission" "localhost:1527" "listen,resolve")

        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)

        at java.security.AccessController.checkPermission(AccessController.java:559)

        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)

        at java.lang.SecurityManager.checkListen(SecurityManager.java:1134)

        at java.net.ServerSocket.bind(ServerSocket.java:375)

        at java.net.ServerSocket.<init>(ServerSocket.java:237)

        at javax.net.DefaultServerSocketFactory.createServerSocket(ServerSocketFactory.java:231)

        at org.apache.derby.impl.drda.NetworkServerControlImpl.createServerSocket(Unknown Source)

        at org.apache.derby.impl.drda.NetworkServerControlImpl.access$000(Unknown Source)

        at org.apache.derby.impl.drda.NetworkServerControlImpl$1.run(Unknown Source)

        at org.apache.derby.impl.drda.NetworkServerControlImpl$1.run(Unknown Source)

        at java.security.AccessController.doPrivileged(Native Method)

        at org.apache.derby.impl.drda.NetworkServerControlImpl.blockingStart(Unknown Source)

        at org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unknown Source)

        at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network Server Access Permissions and Java 1.7.0_51

Rick Hillegas
On 1/17/14 7:23 AM, John I. Moore, Jr. wrote:

>
> Java version 1.7.0_51 (latest version) causes the following error when
> trying to start the network server.  I can see from the issue tracker
> that there is a fix to be added that should correct this problem in
> the next release, but is there an easy workaround that exists now?  
> Details would be appreciated.
>
> _________________________________________
>
> John I. Moore, Jr.
>
> C:\Java\db-derby-10.10.1.1-bin\bin>startNetworkServer.bat
>
> Thu Jan 16 16:34:04 EST 2014 : Security manager installed using the
> Basic server security policy.
>
> Thu Jan 16 16:34:04 EST 2014 : access denied
> ("java.net.SocketPermission" "localhost:1527" "listen,resolve")
>
> java.security.AccessControlException: access denied
> ("java.net.SocketPermission" "localhost:1527" "listen,resolve")
>
>         at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
>
>
>         at
> java.security.AccessController.checkPermission(AccessController.java:559)
>
>         at
> java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
>
>         at
> java.lang.SecurityManager.checkListen(SecurityManager.java:1134)
>
>         at java.net.ServerSocket.bind(ServerSocket.java:375)
>
>         at java.net.ServerSocket.<init>(ServerSocket.java:237)
>
>         at
> javax.net.DefaultServerSocketFactory.createServerSocket(ServerSocketFactory.java:231)
>
>
>         at
> org.apache.derby.impl.drda.NetworkServerControlImpl.createServerSocket(Unknown
> Source)
>
>         at
> org.apache.derby.impl.drda.NetworkServerControlImpl.access$000(Unknown
> Source)
>
>         at
> org.apache.derby.impl.drda.NetworkServerControlImpl$1.run(Unknown Source)
>
>         at
> org.apache.derby.impl.drda.NetworkServerControlImpl$1.run(Unknown Source)
>
>         at java.security.AccessController.doPrivileged(Native Method)
>
>         at
> org.apache.derby.impl.drda.NetworkServerControlImpl.blockingStart(Unknown
> Source)
>
>         at
> org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unknown Source)
>
>
>         at org.apache.derby.drda.NetworkServerControl.main(Unknown
> Source)
>
Hi John,

The release notes for 7u51 should describe this problem and its
solution. The solution is to give the server "listen" permission on the
port where it listens for incoming connection requests. The solution is
described on https://issues.apache.org/jira/browse/DERBY-6438

Hope this helps,
-Rick
Me
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network Server Access Permissions and Java 1.7.0_51

Me
In reply to this post by John I. Moore, Jr.


Sent from my iPhone

On Jan 17, 2014, at 7:23 AM, "John I. Moore, Jr." <[hidden email]> wrote:

Java version 1.7.0_51 (latest version) causes the following error when trying to start the network server.  I can see from the issue tracker that there is a fix to be added that should correct this problem in the next release, but is there an easy workaround that exists now?  Details would be appreciated.

 

_________________________________________

 

John I. Moore, Jr.

 


Hi John, 

Yesterday we also attached releaseNote.html to DERBY_6438 which also describes this workaround: you need to use your own policyfile and start networkserver with
 java -Djava.security.manager -Djava.security.policy=yourpolicyfilename org.apache.derby.drda.NetworkServer start

For your convenience, I attach a copy of the updated default 10.10 policyfile to DERBY-6438 ('1010_server.policy'). You can use that as a starting point.

As an alternative, I guess you *could* mess with the JVMs 'java.policy' file, but I imagine that's not supported by the JVM vendors, or they'd have added it to the workarounds. Plus it will get overwritten by the next JVM update.

I think another alternative is to start networkserver at one of the 'ephemeral' port numbers (i.e. start with java org.apache.derby.drda.NetworkServer -p 50000 start), I tried at port 50000 and that seemed to work. But then you might need to modify your app to use that port number.

Regards,
Myrna
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Network Server Access Permissions and Java 1.7.0_51

John I. Moore, Jr.

Thanks to Myrna and Rick for your replies, but I am still having problems.  I have been using derby for several years, but in the past I have used the Window batch files in the “bin” directory to start/stop the network server.  I tried to follow the guidelines for using derbyrun.jar, but I am still having problems.

 

I copied the policy file 1010_server.policy to a local directory and tried starting the network server from the command line as shown below.  Perhaps I am misunderstanding how to use derbyrun.jar with the policy file, but here is the error that I am seeing now:

 

C:\>java -Djava.security.manager -Djava.security.policy=C:\Java\db-derby\1010_server.policy -jar %DERBY_HOME%\lib\derbyrun.jar server start

Wed Jan 22 07:07:51 EST 2014 : access denied ("java.util.PropertyPermission" "derby.__serverStartedFromCmdLine" "write")

java.security.AccessControlException: access denied ("java.util.PropertyPermission" "derby.__serverStartedFromCmdLine" "write")

        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)

        at java.security.AccessController.checkPermission(AccessController.java:559)

        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)

        at java.lang.System.setProperty(System.java:783)

        at org.apache.derby.drda.NetworkServerControl$1.run(Unknown Source)

        at org.apache.derby.drda.NetworkServerControl$1.run(Unknown Source)

        at java.security.AccessController.doPrivileged(Native Method)

        at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)

        at org.apache.derby.iapi.tools.run.main(Unknown Source)

 

Any advice on how to proceed will be appreciated.

 

_________________________________________

 

John I. Moore, Jr.

SoftMoore Consulting

 

email:  [hidden email]

cell:   843-906-7887

 

From: Myrna van Lunteren [mailto:[hidden email]]
Sent: Friday, January 17, 2014 1:32 PM
To: Derby Discussion
Subject: Re: Network Server Access Permissions and Java 1.7.0_51

 



Sent from my iPhone


On Jan 17, 2014, at 7:23 AM, "John I. Moore, Jr." <[hidden email]> wrote:

Java version 1.7.0_51 (latest version) causes the following error when trying to start the network server.  I can see from the issue tracker that there is a fix to be added that should correct this problem in the next release, but is there an easy workaround that exists now?  Details would be appreciated.

 

_________________________________________

 

John I. Moore, Jr.

 

 

Hi John, 

 

Yesterday we also attached releaseNote.html to DERBY_6438 which also describes this workaround: you need to use your own policyfile and start networkserver with
 java -Djava.security.manager -Djava.security.policy=yourpolicyfilename org.apache.derby.drda.NetworkServer start

For your convenience, I attach a copy of the updated default 10.10 policyfile to DERBY-6438 ('1010_server.policy'). You can use that as a starting point.

 

As an alternative, I guess you *could* mess with the JVMs 'java.policy' file, but I imagine that's not supported by the JVM vendors, or they'd have added it to the workarounds. Plus it will get overwritten by the next JVM update.

I think another alternative is to start networkserver at one of the 'ephemeral' port numbers (i.e. start with java org.apache.derby.drda.NetworkServer -p 50000 start), I tried at port 50000 and that seemed to work. But then you might need to modify your app to use that port number.

 

Regards,
Myrna

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network Server Access Permissions and Java 1.7.0_51

Rick Hillegas
On 1/22/14 4:18 AM, John I. Moore, Jr. wrote:
> -Djava.security.manager
> -Djava.security.policy=C:\Java\db-derby\1010_server.policy
Hi John,

I am able to reproduce the results you are seeing. I have updated the
1010_server.policy attached to
https://issues.apache.org/jira/browse/DERBY-6438. The new version
includes an extra block of permissions needed when running on JDK 7 and
higher. Using the new version of 1010_server.policy, I can boot a server
on Java 1.8.0-ea-b121.

Hope this helps,
-Rick
Loading...